From: Guillaume Nault <g.nault@alphalink.fr>
To: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Cc: davem@davemloft.net, netdev@vger.kernel.org, jchapman@katalix.com
Subject: Re: [PATCH net-next 2/3] l2tp: configure l2specific_len according to l2specific_type
Date: Wed, 10 Jan 2018 18:55:17 +0100 [thread overview]
Message-ID: <20180110175517.GA1434@alphalink.fr> (raw)
In-Reply-To: <ac1dc830211f79fcae6637ac58c7a4aa5d3d3b69.1515603824.git.lorenzo.bianconi@redhat.com>
On Wed, Jan 10, 2018 at 06:20:41PM +0100, Lorenzo Bianconi wrote:
> Set l2specific_len according to the L2-Specific Sublayer type specified
> by the userspace and not rely on a user supplied value for sublayer len
> since invalid usage of L2TP_ATTR_L2SPEC_LEN allows leaking memory on the
> network and sending corrupted frames.
> Moreover add a sanity check on l2specific_type provided by userspace
>
> Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
> ---
> net/l2tp/l2tp_netlink.c | 21 ++++++++++++++++-----
> 1 file changed, 16 insertions(+), 5 deletions(-)
>
> diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
> index 48b5bf30ec50..404e5482c4e7 100644
> --- a/net/l2tp/l2tp_netlink.c
> +++ b/net/l2tp/l2tp_netlink.c
> @@ -550,13 +550,24 @@ static int l2tp_nl_cmd_session_create(struct sk_buff *skb, struct genl_info *inf
> if (info->attrs[L2TP_ATTR_DATA_SEQ])
> cfg.data_seq = nla_get_u8(info->attrs[L2TP_ATTR_DATA_SEQ]);
>
> - cfg.l2specific_type = L2TP_L2SPECTYPE_DEFAULT;
> - if (info->attrs[L2TP_ATTR_L2SPEC_TYPE])
> + if (info->attrs[L2TP_ATTR_L2SPEC_TYPE]) {
> cfg.l2specific_type = nla_get_u8(info->attrs[L2TP_ATTR_L2SPEC_TYPE]);
>
> - cfg.l2specific_len = 4;
> - if (info->attrs[L2TP_ATTR_L2SPEC_LEN])
> - cfg.l2specific_len = nla_get_u8(info->attrs[L2TP_ATTR_L2SPEC_LEN]);
> + switch (cfg.l2specific_type) {
> + case L2TP_L2SPECTYPE_DEFAULT:
> + cfg.l2specific_len = 4;
> + break;
> + case L2TP_L2SPECTYPE_NONE:
> + cfg.l2specific_len = 0;
> + break;
> + default:
> + ret = -EINVAL;
> + goto out_tunnel;
> + }
> + } else {
> + cfg.l2specific_type = L2TP_L2SPECTYPE_DEFAULT;
> + cfg.l2specific_len = 4;
> + }
>
> if (info->attrs[L2TP_ATTR_COOKIE]) {
> u16 len = nla_len(info->attrs[L2TP_ATTR_COOKIE]);
>
I think we can go one step further and remove .l2specific_len from
struct l2tp_session and struct l2tp_session_cfg. We never need this
information. Then we can start ignoring the L2TP_ATTR_L2SPEC_LEN
attribute just like we've done with L2TP_ATTR_OFFSET.
next prev parent reply other threads:[~2018-01-10 17:55 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-10 17:20 [PATCH net-next 0/3] set l2specific_len based on l2specific_type Lorenzo Bianconi
2018-01-10 17:20 ` [PATCH net-next 1/3] l2tp: fix switch default error handling in l2tp_nl_cmd_session_create() Lorenzo Bianconi
2018-01-10 17:20 ` [PATCH net-next 2/3] l2tp: configure l2specific_len according to l2specific_type Lorenzo Bianconi
2018-01-10 17:55 ` Guillaume Nault [this message]
2018-01-10 18:06 ` Lorenzo Bianconi
2018-01-10 17:20 ` [PATCH net-next 3/3] l2tp: mark L2TP_ATTR_L2SPEC_LEN as not used Lorenzo Bianconi
2018-01-10 17:59 ` Guillaume Nault
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180110175517.GA1434@alphalink.fr \
--to=g.nault@alphalink.fr \
--cc=davem@davemloft.net \
--cc=jchapman@katalix.com \
--cc=lorenzo.bianconi@redhat.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.