@@ -535,16 +535,18 @@ static int l2tp_avp_hide(void **buffer,
* and we just need to shift the data up 2 bytes.
*/
new_buffer_len = orig_buffer_len + 2 + pad + 16;
- new_buffer = realloc(orig_buffer, new_buffer_len + L2TP_AVP_HEADER_LEN);
+ new_buffer = malloc(new_buffer_len + L2TP_AVP_HEADER_LEN);
if (new_buffer == NULL) {
return -ENOMEM;
}
- memmove(new_buffer + L2TP_AVP_HEADER_LEN + 2, orig_buffer + L2TP_AVP_HEADER_LEN, orig_buffer_len - L2TP_AVP_HEADER_LEN);
+ memcpy(new_buffer, orig_buffer, L2TP_AVP_HEADER_LEN);
+ memcpy(new_buffer + L2TP_AVP_HEADER_LEN + 2, orig_buffer + L2TP_AVP_HEADER_LEN, orig_buffer_len - L2TP_AVP_HEADER_LEN);
orig_len = new_buffer + L2TP_AVP_HEADER_LEN;
*orig_len = htons(orig_buffer_len - L2TP_AVP_HEADER_LEN);
if (new_buffer != orig_buffer) {
*buffer = new_buffer;
}
+ free(orig_buffer);
flag_len = new_buffer;
tmp = ntohs(*flag_len);
*flag_len = htons(tmp + 2 + pad);
@@ -1995,7 +1997,7 @@ int l2tp_avp_message_decode(int msg_len,
result = l2tp_avp_unhide(avp, &unhidden_avp_len,
(unsigned char *const) secret, secret_len,
(unsigned char *const) data[TYPE(RANDOM_VECTOR)].value,
- data[TYPE(RANDOM_VECTOR].value_len));
+ data[TYPE(RANDOM_VECTOR)].value_len);
if (result < 0) {
l2tp_tunnel_log(tunnel, L2TP_AVPHIDE, LOG_ERR, "AVPHIDE: tunl %hu: avp unhide error: %s",
l2tp_tunnel_id(tunnel), l2tp_strerror(-result));