l2tp: Fix PPP header erasure and memory leak

[ Upstream commit 55b92b7a11 ] Copy user data after PPP framing header. This prevents erasure of the added PPP header and avoids leaking two bytes of uninitialised memory at the end of skb's data buffer. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-09 23:23:53 +02:00 · 2013-06-12 16:07:23 +02:00 · 2013-06-12 16:07:23 +02:00 · 3bf35eb3ed
commit 3bf35eb3ed
parent 991e73ccb5
1 changed files with 2 additions and 2 deletions
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@ -350,12 +350,12 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
 	skb_put(skb, 2);

 	/* Copy user data into skb */
-	error = memcpy_fromiovec(skb->data, m->msg_iov, total_len);
+	error = memcpy_fromiovec(skb_put(skb, total_len), m->msg_iov,
+				 total_len);
 	if (error < 0) {
 		kfree_skb(skb);
 		goto error_put_sess_tun;
 	}
-	skb_put(skb, total_len);

 	l2tp_xmit_skb(session, skb, session->hdr_len);