diff options
| author | Guillaume Nault <g.nault@alphalink.fr> | 2013-06-12 16:07:23 +0200 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2013-06-29 04:06:43 +0100 |
| commit | 480efdbc973db5797f68c3002432427893e78458 (patch) | |
| tree | 9f26c6b054191cefbe21df2087f3faaf3566e350 /net/l2tp | |
| parent | 4f5a75542dff85553a5b2bd2f38e2fe02bca0577 (diff) | |
| download | kernel_samsung_smdk4412-480efdbc973db5797f68c3002432427893e78458.zip kernel_samsung_smdk4412-480efdbc973db5797f68c3002432427893e78458.tar.gz kernel_samsung_smdk4412-480efdbc973db5797f68c3002432427893e78458.tar.bz2 | |
l2tp: Fix PPP header erasure and memory leak
[ Upstream commit 55b92b7a11690bc377b5d373872a6b650ae88e64 ]
Copy user data after PPP framing header. This prevents erasure of the
added PPP header and avoids leaking two bytes of uninitialised memory
at the end of skb's data buffer.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'net/l2tp')
| -rw-r--r-- | net/l2tp/l2tp_ppp.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c index 6f60175..8ab041b 100644 --- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -350,12 +350,12 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh skb_put(skb, 2); /* Copy user data into skb */ - error = memcpy_fromiovec(skb->data, m->msg_iov, total_len); + error = memcpy_fromiovec(skb_put(skb, total_len), m->msg_iov, + total_len); if (error < 0) { kfree_skb(skb); goto error_put_sess_tun; } - skb_put(skb, total_len); l2tp_xmit_skb(session, skb, session->hdr_len); |