l2tp: fix another panic in pppol2tp

Commit 3feec909 ("l2tp: Fix oops in pppol2tp_xmit") was backported
into 2.6.32.16 to fix a possible null deref in pppol2tp. But the same
still exists in pppol2tp_sendmsg() possibly causing the same crash.
Note that this bug doesn't appear to have any other impact than crashing
the system, as the dereferenced pointer is only used to test a value
against a 3-bit mask, so it can hardly be abused for anything except
leaking one third of a bit of memory.

This issue doesn't exist upstream because the code was replaced in 2.6.35
and the new function l2tp_xmit_skb() performs the appropriate check.
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Willy Tarreau <w@1wt.eu>

drivers/net/pppol2tp.c

@@ -975,7 +975,8 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
 	/* Calculate UDP checksum if configured to do so */
 	if (sk_tun->sk_no_check == UDP_CSUM_NOXMIT)
 		skb->ip_summed = CHECKSUM_NONE;
-	else if (!(skb_dst(skb)->dev->features & NETIF_F_V4_CSUM)) {
+	else if ((skb_dst(skb) && skb_dst(skb)->dev) &&
+		 (!(skb_dst(skb)->dev->features & NETIF_F_V4_CSUM))) {
 		skb->ip_summed = CHECKSUM_COMPLETE;
 		csum = skb_checksum(skb, 0, udp_len, 0);
 		uh->check = csum_tcpudp_magic(inet->saddr, inet->daddr,