AcoSail/kernel_optimize_test
8
0
Fork 0
forked from luck/tmp_suning_uos_patched
Code Pull Requests Activity

l2tp: only accept PPP sessions in pppol2tp_connect()

Browse Source 
l2tp_session_priv() returns a struct pppol2tp_session pointer only for
PPPoL2TP sessions. In particular, if the session is an L2TP_PWTYPE_ETH
pseudo-wire, l2tp_session_priv() returns a pointer to an l2tp_eth_sess
structure, which is much smaller than struct pppol2tp_session. This
leads to invalid memory dereference when trying to lock ps->sk_lock.

Fixes: d9e31d17ce ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Guillaume Nault 2018-06-13 15:09:19 +02:00 committed by David S. Miller
parent 90904ff5f9
commit 7ac6ab1f8a
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
net/l2tp/l2tp_ppp.c
View File

@ -734,6 +734,12 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
session = l2tp_session_get(sock_net(sk), tunnel, session_id); session = l2tp_session_get(sock_net(sk), tunnel, session_id);
if (session) { if (session) {
drop_refcnt = true; drop_refcnt = true;
if (session->pwtype != L2TP_PWTYPE_PPP) {
error = -EPROTOTYPE;
goto end;
}
ps = l2tp_session_priv(session); ps = l2tp_session_priv(session);
/* Using a pre-existing session is fine as long as it hasn't /* Using a pre-existing session is fine as long as it hasn't