From: James Chapman <jchapman@katalix.com>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org, levinsasha928@gmail.com
Subject: Re: [PATCH] l2tp: fix oops in L2TP IP sockets for connect() AF_UNSPEC case
Date: Wed, 30 May 2012 09:53:54 +0100 [thread overview]
Message-ID: <4FC5E022.6020609@katalix.com> (raw)
In-Reply-To: <20120529.172008.875375243438479060.davem@davemloft.net>
On 29/05/12 22:20, David Miller wrote:
> From: James Chapman <jchapman@katalix.com>
> Date: Tue, 29 May 2012 14:30:42 +0100
>
>> An application may call connect() to disconnect a socket using an
>> address with family AF_UNSPEC. The L2TP IP sockets were not handling
>> this case when the socket is not bound and an attempt to connect()
>> using AF_UNSPEC in such cases would result in an oops. This patch
>> addresses the problem by protecting the sk_prot->disconnect() call
>> against trying to unhash the socket before it is bound.
>>
>> The L2TP IPv4 and IPv6 sockets have the same problem. Both are fixed
>> by this patch.
>>
>> The patch also adds more checks that the sockaddr supplied to bind()
>> and connect() calls is valid.
>>
>> RIP: 0010:[<ffffffff82e133b0>] [<ffffffff82e133b0>] inet_unhash+0x50/0xd0
>> RSP: 0018:ffff88001989be28 EFLAGS: 00010293
>> Stack:
>> ffff8800407a8000 0000000000000000 ffff88001989be78 ffffffff82e3a249
>> ffffffff82e3a050 ffff88001989bec8 ffff88001989be88 ffff8800407a8000
>> 0000000000000010 ffff88001989bec8 ffff88001989bea8 ffffffff82e42639
>> Call Trace:
>> [<ffffffff82e3a249>] udp_disconnect+0x1f9/0x290
>> [<ffffffff82e42639>] inet_dgram_connect+0x29/0x80
>> [<ffffffff82d012fc>] sys_connect+0x9c/0x100
>>
>> Reported-by: Sasha Levin <levinsasha928@gmail.com>
>> Signed-off-by: James Chapman <jchapman@katalix.com>
>
> Applied and queued up for -stable, thanks James.
The patch doesn't apply to stable due to recent l2tp_ip changes (IPv6
support) already merged. I'll spin a version for -stable.
--
James Chapman
Katalix Systems Ltd
http://www.katalix.com
Catalysts for your Embedded Linux software development
next prev parent reply other threads:[~2012-05-30 8:53 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-29 13:30 [PATCH] l2tp: fix oops in L2TP IP sockets for connect() AF_UNSPEC case James Chapman
2012-05-29 21:20 ` David Miller
2012-05-30 8:53 ` James Chapman [this message]
2012-05-30 9:05 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FC5E022.6020609@katalix.com \
--to=jchapman@katalix.com \
--cc=davem@davemloft.net \
--cc=levinsasha928@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.