[NETFILTER]: pptp helper: fix buffer overflow

reqlen directly depends on skb->len and is used as argument to
skb_header_pointer, which copies the data to _pptpReq if it is
in the non-linear area.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 2834891111a5574444e4af9a6b1fd496a3359f2b
tree f02ddf7e154110ea3514731843a743286d9ee240
parent d7ea87423cdd670f2dbb737d2baf1cceaa78346c
author Patrick McHardy <kaber@trash.net> Thu, 15 Sep 2005 23:32:59 +0200
committer Patrick McHardy <kaber@trash.net> Thu, 15 Sep 2005 23:32:59 +0200

 net/ipv4/netfilter/ip_conntrack_helper_pptp.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/net/ipv4/netfilter/ip_conntrack_helper_pptp.c b/net/ipv4/netfilter/ip_conntrack_helper_pptp.c
--- a/net/ipv4/netfilter/ip_conntrack_helper_pptp.c
+++ b/net/ipv4/netfilter/ip_conntrack_helper_pptp.c
@@ -330,6 +330,8 @@ pptp_inbound_pkt(struct sk_buff **pskb,
 	}
 
 	reqlen = datalen - sizeof(struct pptp_pkt_hdr) - sizeof(_ctlh);
+	if (reqlen > sizeof(*pptpReq))
+		reqlen = sizeof(*pptpReq);
 	pptpReq = skb_header_pointer(*pskb, ctlhoff+sizeof(_ctlh),
 				     reqlen, &_pptpReq);
 	if (unlikely(!pptpReq)) {
@@ -535,6 +537,8 @@ pptp_outbound_pkt(struct sk_buff **pskb,
 		return NF_ACCEPT;
 	
 	reqlen = datalen - sizeof(struct pptp_pkt_hdr) - sizeof(_ctlh);
+	if (reqlen > sizeof(*pptpReq))
+		reqlen = sizeof(*pptpReq);
 	pptpReq = skb_header_pointer(*pskb, ctlhoff+sizeof(_ctlh), reqlen, 
 				     &_pptpReq);
 	if (!pptpReq)