From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH net] l2tp: don't use l2tp_tunnel_find() in l2tp_ip and l2tp_ip6 Date: Sun, 05 Nov 2017 22:22:28 +0900 (KST) Message-ID: <20171105.222228.340963731082709999.davem@davemloft.net> References: <8d82022c67fe889aeabf04e49f1b2792a9471b1e.1509723963.git.g.nault@alphalink.fr> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, jchapman@katalix.com, celston@katalix.com To: g.nault@alphalink.fr Return-path: Received: from shards.monkeyblade.net ([184.105.139.130]:46108 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752078AbdKENWd (ORCPT ); Sun, 5 Nov 2017 08:22:33 -0500 In-Reply-To: <8d82022c67fe889aeabf04e49f1b2792a9471b1e.1509723963.git.g.nault@alphalink.fr> Sender: netdev-owner@vger.kernel.org List-ID: From: Guillaume Nault Date: Fri, 3 Nov 2017 16:49:00 +0100 > Using l2tp_tunnel_find() in l2tp_ip_recv() is wrong for two reasons: > > * It doesn't take a reference on the returned tunnel, which makes the > call racy wrt. concurrent tunnel deletion. > > * The lookup is only based on the tunnel identifier, so it can return > a tunnel that doesn't match the packet's addresses or protocol. > > For example, a packet sent to an L2TPv3 over IPv6 tunnel can be > delivered to an L2TPv2 over UDPv4 tunnel. This is worse than a simple > cross-talk: when delivering the packet to an L2TP over UDP tunnel, the > corresponding socket is UDP, where ->sk_backlog_rcv() is NULL. Calling > sk_receive_skb() will then crash the kernel by trying to execute this > callback. > > And l2tp_tunnel_find() isn't even needed here. __l2tp_ip_bind_lookup() > properly checks the socket binding and connection settings. It was used > as a fallback mechanism for finding tunnels that didn't have their data > path registered yet. But it's not limited to this case and can be used > to replace l2tp_tunnel_find() in the general case. > > Fix l2tp_ip6 in the same way. > > Fixes: 0d76751fad77 ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support") > Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6") > Signed-off-by: Guillaume Nault Applied, thanks.