net: ppp: Add bound checking for skb data on ppp_sync_txmung

jira NONE_AUTOMATION
cve CVE-2025-37749
Rebuild_History Non-Buildable kernel-5.14.0-570.17.1.el9_6
commit-author Arnaud Lecomte <[email protected]>
commit aabc659

Ensure we have enough data in linear buffer from skb before accessing
initial bytes. This prevents potential out-of-bounds accesses
when processing short packets.

When ppp_sync_txmung receives an incoming package with an empty
payload:
(remote) gef➤  p *(struct pppoe_hdr *) (skb->head + skb->network_header)
$18 = {
	type = 0x1,
	ver = 0x1,
	code = 0x0,
	sid = 0x2,
        length = 0x0,
	tag = 0xffff8880371cdb96
}

from the skb struct (trimmed)
      tail = 0x16,
      end = 0x140,
      head = 0xffff88803346f400 "4",
      data = 0xffff88803346f416 ":\377",
      truesize = 0x380,
      len = 0x0,
      data_len = 0x0,
      mac_len = 0xe,
      hdr_len = 0x0,

it is not safe to access data[2].

	Reported-by: [email protected]
Closes: https://syzkaller.appspot.com/bug?extid=29fc8991b0ecb186cf40
	Tested-by: [email protected]
Fixes: 1da177e ("Linux-2.6.12-rc2")
	Signed-off-by: Arnaud Lecomte <[email protected]>
Link: https://patch.msgid.link/20250408-bound-checking-ppp_txmung-v2-1-94bb6e1b92d0@arnaud-lcm.com
[[email protected]: fixed subj typo]
	Signed-off-by: Paolo Abeni <[email protected]>
(cherry picked from commit aabc659)
	Signed-off-by: Jonathan Maple <[email protected]>

Author: PlaidCat

drivers/net/ppp/ppp_synctty.c

@@ -506,6 +506,11 @@ ppp_sync_txmunge(struct syncppp *ap, struct sk_buff *skb)
 	unsigned char *data;
 	int islcp;
 
+	/* Ensure we can safely access protocol field and LCP code */
+	if (!pskb_may_pull(skb, 3)) {
+		kfree_skb(skb);
+		return NULL;
+	}
 	data  = skb->data;
 	proto = get_unaligned_be16(data);