aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/net/pppol2tp.c
diff options
context:
space:
mode:
Diffstat (limited to 'drivers/net/pppol2tp.c')
-rw-r--r--drivers/net/pppol2tp.c25
1 files changed, 18 insertions, 7 deletions
diff --git a/drivers/net/pppol2tp.c b/drivers/net/pppol2tp.c
index f8904fd92369..a7556cd2df79 100644
--- a/drivers/net/pppol2tp.c
+++ b/drivers/net/pppol2tp.c
@@ -488,7 +488,7 @@ static int pppol2tp_recv_core(struct sock *sock, struct sk_buff *skb)
488{ 488{
489 struct pppol2tp_session *session = NULL; 489 struct pppol2tp_session *session = NULL;
490 struct pppol2tp_tunnel *tunnel; 490 struct pppol2tp_tunnel *tunnel;
491 unsigned char *ptr; 491 unsigned char *ptr, *optr;
492 u16 hdrflags; 492 u16 hdrflags;
493 u16 tunnel_id, session_id; 493 u16 tunnel_id, session_id;
494 int length; 494 int length;
@@ -496,7 +496,7 @@ static int pppol2tp_recv_core(struct sock *sock, struct sk_buff *skb)
496 496
497 tunnel = pppol2tp_sock_to_tunnel(sock); 497 tunnel = pppol2tp_sock_to_tunnel(sock);
498 if (tunnel == NULL) 498 if (tunnel == NULL)
499 goto error; 499 goto no_tunnel;
500 500
501 /* UDP always verifies the packet length. */ 501 /* UDP always verifies the packet length. */
502 __skb_pull(skb, sizeof(struct udphdr)); 502 __skb_pull(skb, sizeof(struct udphdr));
@@ -509,7 +509,7 @@ static int pppol2tp_recv_core(struct sock *sock, struct sk_buff *skb)
509 } 509 }
510 510
511 /* Point to L2TP header */ 511 /* Point to L2TP header */
512 ptr = skb->data; 512 optr = ptr = skb->data;
513 513
514 /* Get L2TP header flags */ 514 /* Get L2TP header flags */
515 hdrflags = ntohs(*(__be16*)ptr); 515 hdrflags = ntohs(*(__be16*)ptr);
@@ -637,12 +637,14 @@ static int pppol2tp_recv_core(struct sock *sock, struct sk_buff *skb)
637 /* If offset bit set, skip it. */ 637 /* If offset bit set, skip it. */
638 if (hdrflags & L2TP_HDRFLAG_O) { 638 if (hdrflags & L2TP_HDRFLAG_O) {
639 offset = ntohs(*(__be16 *)ptr); 639 offset = ntohs(*(__be16 *)ptr);
640 skb->transport_header += 2 + offset; 640 ptr += 2 + offset;
641 if (!pskb_may_pull(skb, skb_transport_offset(skb) + 2))
642 goto discard;
643 } 641 }
644 642
645 __skb_pull(skb, skb_transport_offset(skb)); 643 offset = ptr - optr;
644 if (!pskb_may_pull(skb, offset))
645 goto discard;
646
647 __skb_pull(skb, offset);
646 648
647 /* Skip PPP header, if present. In testing, Microsoft L2TP clients 649 /* Skip PPP header, if present. In testing, Microsoft L2TP clients
648 * don't send the PPP header (PPP header compression enabled), but 650 * don't send the PPP header (PPP header compression enabled), but
@@ -652,6 +654,9 @@ static int pppol2tp_recv_core(struct sock *sock, struct sk_buff *skb)
652 * Note that skb->data[] isn't dereferenced from a u16 ptr here since 654 * Note that skb->data[] isn't dereferenced from a u16 ptr here since
653 * the field may be unaligned. 655 * the field may be unaligned.
654 */ 656 */
657 if (!pskb_may_pull(skb, 2))
658 goto discard;
659
655 if ((skb->data[0] == 0xff) && (skb->data[1] == 0x03)) 660 if ((skb->data[0] == 0xff) && (skb->data[1] == 0x03))
656 skb_pull(skb, 2); 661 skb_pull(skb, 2);
657 662
@@ -709,6 +714,10 @@ discard:
709 return 0; 714 return 0;
710 715
711error: 716error:
717 /* Put UDP header back */
718 __skb_push(skb, sizeof(struct udphdr));
719
720no_tunnel:
712 return 1; 721 return 1;
713} 722}
714 723
@@ -1050,6 +1059,8 @@ static int pppol2tp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
1050 /* Get routing info from the tunnel socket */ 1059 /* Get routing info from the tunnel socket */
1051 dst_release(skb->dst); 1060 dst_release(skb->dst);
1052 skb->dst = sk_dst_get(sk_tun); 1061 skb->dst = sk_dst_get(sk_tun);
1062 skb_orphan(skb);
1063 skb->sk = sk_tun;
1053 1064
1054 /* Queue the packet to IP for output */ 1065 /* Queue the packet to IP for output */
1055 len = skb->len; 1066 len = skb->len;
generated by cgit v1.2.2 (git 2.25.0) at 2025-12-14 03:41:40 -0500