From: Greg KH <greg@kroah.com>
To: Nicolas Schier <n.schier@avm.de>
Cc: stable@vger.kernel.org, Guillaume Nault <g.nault@alphalink.fr>,
"David S . Miller" <davem@davemloft.net>
Subject: Re: [PATCH 1/1] l2tp: don't use l2tp_tunnel_find() in l2tp_ip and l2tp_ip6
Date: Wed, 27 Nov 2019 11:28:26 +0100 [thread overview]
Message-ID: <20191127102826.GA1996965@kroah.com> (raw)
In-Reply-To: <bd3a519ba6770a838d09550f1a6602d5fb7e80cb.1574846983.git.n.schier@avm.de>
On Wed, Nov 27, 2019 at 11:02:49AM +0100, Nicolas Schier wrote:
> From: Guillaume Nault <g.nault@alphalink.fr>
>
> commit 8f7dc9ae4a7aece9fbc3e6637bdfa38b36bcdf09 upstream.
>
> Using l2tp_tunnel_find() in l2tp_ip_recv() is wrong for two reasons:
>
> * It doesn't take a reference on the returned tunnel, which makes the
> call racy wrt. concurrent tunnel deletion.
>
> * The lookup is only based on the tunnel identifier, so it can return
> a tunnel that doesn't match the packet's addresses or protocol.
>
> For example, a packet sent to an L2TPv3 over IPv6 tunnel can be
> delivered to an L2TPv2 over UDPv4 tunnel. This is worse than a simple
> cross-talk: when delivering the packet to an L2TP over UDP tunnel, the
> corresponding socket is UDP, where ->sk_backlog_rcv() is NULL. Calling
> sk_receive_skb() will then crash the kernel by trying to execute this
> callback.
>
> And l2tp_tunnel_find() isn't even needed here. __l2tp_ip_bind_lookup()
> properly checks the socket binding and connection settings. It was used
> as a fallback mechanism for finding tunnels that didn't have their data
> path registered yet. But it's not limited to this case and can be used
> to replace l2tp_tunnel_find() in the general case.
>
> Fix l2tp_ip6 in the same way.
>
> Fixes: 0d76751fad77 ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support")
> Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
> Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> Signed-off-by: Nicolas Schier <n.schier@avm.de>
> ---
> Please consider queuing this patch for v4.9.y.
Now queued up, thanks.
greg k-h
prev parent reply other threads:[~2019-11-27 10:29 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-27 10:02 [PATCH 0/1] Missing l2tp patch in v4.9.y series Nicolas Schier
2019-11-27 10:02 ` [PATCH 1/1] l2tp: don't use l2tp_tunnel_find() in l2tp_ip and l2tp_ip6 Nicolas Schier
2019-11-27 10:28 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191127102826.GA1996965@kroah.com \
--to=greg@kroah.com \
--cc=davem@davemloft.net \
--cc=g.nault@alphalink.fr \
--cc=n.schier@avm.de \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.