Patchwork [3.5.y.z,extended,stable] Patch "l2tp: Fix PPP header erasure and memory leak" has been added to staging queue

login
register
mail settings
Submitter Luis Henriques
Date June 24, 2013, 8:19 a.m.
Message ID <1372061964-5509-1-git-send-email-luis.henriques@canonical.com>
Download mbox | patch
Permalink /patch/253727/
State New
Headers show

Comments

Luis Henriques - June 24, 2013, 8:19 a.m.
This is a note to let you know that I have just added a patch titled

    l2tp: Fix PPP header erasure and memory leak

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

From bb0af81c57c583e3726a157b04e0501d2c688a8c Mon Sep 17 00:00:00 2001
From: Guillaume Nault <g.nault@alphalink.fr>
Date: Wed, 12 Jun 2013 16:07:23 +0200
Subject: [PATCH] l2tp: Fix PPP header erasure and memory leak

commit 55b92b7a11690bc377b5d373872a6b650ae88e64 upstream.

Copy user data after PPP framing header. This prevents erasure of the
added PPP header and avoids leaking two bytes of uninitialised memory
at the end of skb's data buffer.

Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 net/l2tp/l2tp_ppp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--
1.8.1.2

Patch

diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 46c7cc7..42dfd0e 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -345,12 +345,12 @@  static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
 	skb_put(skb, 2);

 	/* Copy user data into skb */
-	error = memcpy_fromiovec(skb->data, m->msg_iov, total_len);
+	error = memcpy_fromiovec(skb_put(skb, total_len), m->msg_iov,
+				 total_len);
 	if (error < 0) {
 		kfree_skb(skb);
 		goto error_put_sess_tun;
 	}
-	skb_put(skb, total_len);

 	l2tp_xmit_skb(session, skb, session->hdr_len);