This is a note to let you know that I've just added the patch titled l2tp: Fix PPP header erasure and memory leak to the 3.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: l2tp-fix-ppp-header-erasure-and-memory-leak.patch and it can be found in the queue-3.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From f4d2a6a3b62f075a8b2d119cc65ba6edcb0f95ae Mon Sep 17 00:00:00 2001 From: Guillaume Nault <g.nault@xxxxxxxxxxxx> Date: Wed, 12 Jun 2013 16:07:23 +0200 Subject: l2tp: Fix PPP header erasure and memory leak From: Guillaume Nault <g.nault@xxxxxxxxxxxx> [ Upstream commit 55b92b7a11690bc377b5d373872a6b650ae88e64 ] Copy user data after PPP framing header. This prevents erasure of the added PPP header and avoids leaking two bytes of uninitialised memory at the end of skb's data buffer. Signed-off-by: Guillaume Nault <g.nault@xxxxxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/l2tp/l2tp_ppp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -346,12 +346,12 @@ static int pppol2tp_sendmsg(struct kiocb skb_put(skb, 2); /* Copy user data into skb */ - error = memcpy_fromiovec(skb->data, m->msg_iov, total_len); + error = memcpy_fromiovec(skb_put(skb, total_len), m->msg_iov, + total_len); if (error < 0) { kfree_skb(skb); goto error_put_sess_tun; } - skb_put(skb, total_len); l2tp_xmit_skb(session, skb, session->hdr_len); Patches currently in stable-queue which might be from g.nault@xxxxxxxxxxxx are queue-3.9/l2tp-fix-sendmsg-return-value.patch queue-3.9/l2tp-fix-ppp-header-erasure-and-memory-leak.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html