diff options
| author | Guillaume Nault <g.nault@alphalink.fr> | 2017-11-03 11:49:00 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2017-11-05 08:22:15 -0500 |
| commit | 8f7dc9ae4a7aece9fbc3e6637bdfa38b36bcdf09 (patch) | |
| tree | f2c6972dbfa0d0d4634370b1575cb57228150633 | |
| parent | baedf68a068ca29624f241426843635920f16e1d (diff) | |
l2tp: don't use l2tp_tunnel_find() in l2tp_ip and l2tp_ip6
Using l2tp_tunnel_find() in l2tp_ip_recv() is wrong for two reasons:
* It doesn't take a reference on the returned tunnel, which makes the
call racy wrt. concurrent tunnel deletion.
* The lookup is only based on the tunnel identifier, so it can return
a tunnel that doesn't match the packet's addresses or protocol.
For example, a packet sent to an L2TPv3 over IPv6 tunnel can be
delivered to an L2TPv2 over UDPv4 tunnel. This is worse than a simple
cross-talk: when delivering the packet to an L2TP over UDP tunnel, the
corresponding socket is UDP, where ->sk_backlog_rcv() is NULL. Calling
sk_receive_skb() will then crash the kernel by trying to execute this
callback.
And l2tp_tunnel_find() isn't even needed here. __l2tp_ip_bind_lookup()
properly checks the socket binding and connection settings. It was used
as a fallback mechanism for finding tunnels that didn't have their data
path registered yet. But it's not limited to this case and can be used
to replace l2tp_tunnel_find() in the general case.
Fix l2tp_ip6 in the same way.
Fixes: 0d76751fad77 ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support")
Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/l2tp/l2tp_ip.c | 24 | ||||
| -rw-r--r-- | net/l2tp/l2tp_ip6.c | 24 |
2 files changed, 18 insertions, 30 deletions
diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c index 4d322c1b7233..e4280b6568b4 100644 --- a/net/l2tp/l2tp_ip.c +++ b/net/l2tp/l2tp_ip.c | |||
| @@ -123,6 +123,7 @@ static int l2tp_ip_recv(struct sk_buff *skb) | |||
| 123 | unsigned char *ptr, *optr; | 123 | unsigned char *ptr, *optr; |
| 124 | struct l2tp_session *session; | 124 | struct l2tp_session *session; |
| 125 | struct l2tp_tunnel *tunnel = NULL; | 125 | struct l2tp_tunnel *tunnel = NULL; |
| 126 | struct iphdr *iph; | ||
| 126 | int length; | 127 | int length; |
| 127 | 128 | ||
| 128 | if (!pskb_may_pull(skb, 4)) | 129 | if (!pskb_may_pull(skb, 4)) |
| @@ -178,24 +179,17 @@ pass_up: | |||
| 178 | goto discard; | 179 | goto discard; |
| 179 | 180 | ||
| 180 | tunnel_id = ntohl(*(__be32 *) &skb->data[4]); | 181 | tunnel_id = ntohl(*(__be32 *) &skb->data[4]); |
| 181 | tunnel = l2tp_tunnel_find(net, tunnel_id); | 182 | iph = (struct iphdr *)skb_network_header(skb); |
| 182 | if (tunnel) { | ||
| 183 | sk = tunnel->sock; | ||
| 184 | sock_hold(sk); | ||
| 185 | } else { | ||
| 186 | struct iphdr *iph = (struct iphdr *) skb_network_header(skb); | ||
| 187 | |||
| 188 | read_lock_bh(&l2tp_ip_lock); | ||
| 189 | sk = __l2tp_ip_bind_lookup(net, iph->daddr, iph->saddr, | ||
| 190 | inet_iif(skb), tunnel_id); | ||
| 191 | if (!sk) { | ||
| 192 | read_unlock_bh(&l2tp_ip_lock); | ||
| 193 | goto discard; | ||
| 194 | } | ||
| 195 | 183 | ||
| 196 | sock_hold(sk); | 184 | read_lock_bh(&l2tp_ip_lock); |
| 185 | sk = __l2tp_ip_bind_lookup(net, iph->daddr, iph->saddr, inet_iif(skb), | ||
| 186 | tunnel_id); | ||
| 187 | if (!sk) { | ||
| 197 | read_unlock_bh(&l2tp_ip_lock); | 188 | read_unlock_bh(&l2tp_ip_lock); |
| 189 | goto discard; | ||
| 198 | } | 190 | } |
| 191 | sock_hold(sk); | ||
| 192 | read_unlock_bh(&l2tp_ip_lock); | ||
| 199 | 193 | ||
| 200 | if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) | 194 | if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) |
| 201 | goto discard_put; | 195 | goto discard_put; |
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c index 88b397c30d86..8bcaa975b432 100644 --- a/net/l2tp/l2tp_ip6.c +++ b/net/l2tp/l2tp_ip6.c | |||
| @@ -136,6 +136,7 @@ static int l2tp_ip6_recv(struct sk_buff *skb) | |||
| 136 | unsigned char *ptr, *optr; | 136 | unsigned char *ptr, *optr; |
| 137 | struct l2tp_session *session; | 137 | struct l2tp_session *session; |
| 138 | struct l2tp_tunnel *tunnel = NULL; | 138 | struct l2tp_tunnel *tunnel = NULL; |
| 139 | struct ipv6hdr *iph; | ||
| 139 | int length; | 140 | int length; |
| 140 | 141 | ||
| 141 | if (!pskb_may_pull(skb, 4)) | 142 | if (!pskb_may_pull(skb, 4)) |
| @@ -192,24 +193,17 @@ pass_up: | |||
| 192 | goto discard; | 193 | goto discard; |
| 193 | 194 | ||
| 194 | tunnel_id = ntohl(*(__be32 *) &skb->data[4]); | 195 | tunnel_id = ntohl(*(__be32 *) &skb->data[4]); |
| 195 | tunnel = l2tp_tunnel_find(net, tunnel_id); | 196 | iph = ipv6_hdr(skb); |
| 196 | if (tunnel) { | ||
| 197 | sk = tunnel->sock; | ||
| 198 | sock_hold(sk); | ||
| 199 | } else { | ||
| 200 | struct ipv6hdr *iph = ipv6_hdr(skb); | ||
| 201 | |||
| 202 | read_lock_bh(&l2tp_ip6_lock); | ||
| 203 | sk = __l2tp_ip6_bind_lookup(net, &iph->daddr, &iph->saddr, | ||
| 204 | inet6_iif(skb), tunnel_id); | ||
| 205 | if (!sk) { | ||
| 206 | read_unlock_bh(&l2tp_ip6_lock); | ||
| 207 | goto discard; | ||
| 208 | } | ||
| 209 | 197 | ||
| 210 | sock_hold(sk); | 198 | read_lock_bh(&l2tp_ip6_lock); |
| 199 | sk = __l2tp_ip6_bind_lookup(net, &iph->daddr, &iph->saddr, | ||
| 200 | inet6_iif(skb), tunnel_id); | ||
| 201 | if (!sk) { | ||
| 211 | read_unlock_bh(&l2tp_ip6_lock); | 202 | read_unlock_bh(&l2tp_ip6_lock); |
| 203 | goto discard; | ||
| 212 | } | 204 | } |
| 205 | sock_hold(sk); | ||
| 206 | read_unlock_bh(&l2tp_ip6_lock); | ||
| 213 | 207 | ||
| 214 | if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) | 208 | if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) |
| 215 | goto discard_put; | 209 | goto discard_put; |