aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorFrançois Cachereul <f.cachereul@alphalink.fr>2013-10-02 04:16:02 -0400
committerDavid S. Miller <davem@davemloft.net>2013-10-02 17:09:22 -0400
commite18503f41f9b12132c95d7c31ca6ee5155e44e5c (patch)
tree470f0046e072f857e545295ed3464d58e8435a5a /net
parent80ad1d61e72d626e30ebe8529a0455e660ca4693 (diff)
l2tp: fix kernel panic when using IPv4-mapped IPv6 addresses
IPv4 mapped addresses cause kernel panic. The patch juste check whether the IPv6 address is an IPv4 mapped address. If so, use IPv4 API instead of IPv6. [ 940.026915] general protection fault: 0000 [#1] [ 940.026915] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppox ppp_generic slhc loop psmouse [ 940.026915] CPU: 0 PID: 3184 Comm: memcheck-amd64- Not tainted 3.11.0+ #1 [ 940.026915] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 [ 940.026915] task: ffff880007130e20 ti: ffff88000737e000 task.ti: ffff88000737e000 [ 940.026915] RIP: 0010:[<ffffffff81333780>] [<ffffffff81333780>] ip6_xmit+0x276/0x326 [ 940.026915] RSP: 0018:ffff88000737fd28 EFLAGS: 00010286 [ 940.026915] RAX: c748521a75ceff48 RBX: ffff880000c30800 RCX: 0000000000000000 [ 940.026915] RDX: ffff88000075cc4e RSI: 0000000000000028 RDI: ffff8800060e5a40 [ 940.026915] RBP: ffff8800060e5a40 R08: 0000000000000000 R09: ffff88000075cc90 [ 940.026915] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88000737fda0 [ 940.026915] R13: 0000000000000000 R14: 0000000000002000 R15: ffff880005d3b580 [ 940.026915] FS: 00007f163dc5e800(0000) GS:ffffffff81623000(0000) knlGS:0000000000000000 [ 940.026915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 940.026915] CR2: 00000004032dc940 CR3: 0000000005c25000 CR4: 00000000000006f0 [ 940.026915] Stack: [ 940.026915] ffff88000075cc4e ffffffff81694e90 ffff880000c30b38 0000000000000020 [ 940.026915] 11000000523c4bac ffff88000737fdb4 0000000000000000 ffff880000c30800 [ 940.026915] ffff880005d3b580 ffff880000c30b38 ffff8800060e5a40 0000000000000020 [ 940.026915] Call Trace: [ 940.026915] [<ffffffff81356cc3>] ? inet6_csk_xmit+0xa4/0xc4 [ 940.026915] [<ffffffffa0038535>] ? l2tp_xmit_skb+0x503/0x55a [l2tp_core] [ 940.026915] [<ffffffff812b8d3b>] ? pskb_expand_head+0x161/0x214 [ 940.026915] [<ffffffffa003e91d>] ? pppol2tp_xmit+0xf2/0x143 [l2tp_ppp] [ 940.026915] [<ffffffffa00292e0>] ? ppp_channel_push+0x36/0x8b [ppp_generic] [ 940.026915] [<ffffffffa00293fe>] ? ppp_write+0xaf/0xc5 [ppp_generic] [ 940.026915] [<ffffffff8110ead4>] ? vfs_write+0xa2/0x106 [ 940.026915] [<ffffffff8110edd6>] ? SyS_write+0x56/0x8a [ 940.026915] [<ffffffff81378ac0>] ? system_call_fastpath+0x16/0x1b [ 940.026915] Code: 00 49 8b 8f d8 00 00 00 66 83 7c 11 02 00 74 60 49 8b 47 58 48 83 e0 fe 48 8b 80 18 01 00 00 48 85 c0 74 13 48 8b 80 78 02 00 00 <48> ff 40 28 41 8b 57 68 48 01 50 30 48 8b 54 24 08 49 c7 c1 51 [ 940.026915] RIP [<ffffffff81333780>] ip6_xmit+0x276/0x326 [ 940.026915] RSP <ffff88000737fd28> [ 940.057945] ---[ end trace be8aba9a61c8b7f3 ]--- [ 940.058583] Kernel panic - not syncing: Fatal exception in interrupt Signed-off-by: François CACHEREUL <f.cachereul@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/l2tp/l2tp_core.c27
-rw-r--r--net/l2tp/l2tp_core.h3
2 files changed, 26 insertions, 4 deletions
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index feae495a0a30..aedaa2cd4237 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -496,6 +496,7 @@ out:
496static inline int l2tp_verify_udp_checksum(struct sock *sk, 496static inline int l2tp_verify_udp_checksum(struct sock *sk,
497 struct sk_buff *skb) 497 struct sk_buff *skb)
498{ 498{
499 struct l2tp_tunnel *tunnel = (struct l2tp_tunnel *)sk->sk_user_data;
499 struct udphdr *uh = udp_hdr(skb); 500 struct udphdr *uh = udp_hdr(skb);
500 u16 ulen = ntohs(uh->len); 501 u16 ulen = ntohs(uh->len);
501 __wsum psum; 502 __wsum psum;
@@ -504,7 +505,7 @@ static inline int l2tp_verify_udp_checksum(struct sock *sk,
504 return 0; 505 return 0;
505 506
506#if IS_ENABLED(CONFIG_IPV6) 507#if IS_ENABLED(CONFIG_IPV6)
507 if (sk->sk_family == PF_INET6) { 508 if (sk->sk_family == PF_INET6 && !tunnel->v4mapped) {
508 if (!uh->check) { 509 if (!uh->check) {
509 LIMIT_NETDEBUG(KERN_INFO "L2TP: IPv6: checksum is 0\n"); 510 LIMIT_NETDEBUG(KERN_INFO "L2TP: IPv6: checksum is 0\n");
510 return 1; 511 return 1;
@@ -1128,7 +1129,7 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
1128 /* Queue the packet to IP for output */ 1129 /* Queue the packet to IP for output */
1129 skb->local_df = 1; 1130 skb->local_df = 1;
1130#if IS_ENABLED(CONFIG_IPV6) 1131#if IS_ENABLED(CONFIG_IPV6)
1131 if (skb->sk->sk_family == PF_INET6) 1132 if (skb->sk->sk_family == PF_INET6 && !tunnel->v4mapped)
1132 error = inet6_csk_xmit(skb, NULL); 1133 error = inet6_csk_xmit(skb, NULL);
1133 else 1134 else
1134#endif 1135#endif
@@ -1255,7 +1256,7 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
1255 1256
1256 /* Calculate UDP checksum if configured to do so */ 1257 /* Calculate UDP checksum if configured to do so */
1257#if IS_ENABLED(CONFIG_IPV6) 1258#if IS_ENABLED(CONFIG_IPV6)
1258 if (sk->sk_family == PF_INET6) 1259 if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
1259 l2tp_xmit_ipv6_csum(sk, skb, udp_len); 1260 l2tp_xmit_ipv6_csum(sk, skb, udp_len);
1260 else 1261 else
1261#endif 1262#endif
@@ -1704,6 +1705,24 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
1704 if (cfg != NULL) 1705 if (cfg != NULL)
1705 tunnel->debug = cfg->debug; 1706 tunnel->debug = cfg->debug;
1706 1707
1708#if IS_ENABLED(CONFIG_IPV6)
1709 if (sk->sk_family == PF_INET6) {
1710 struct ipv6_pinfo *np = inet6_sk(sk);
1711
1712 if (ipv6_addr_v4mapped(&np->saddr) &&
1713 ipv6_addr_v4mapped(&np->daddr)) {
1714 struct inet_sock *inet = inet_sk(sk);
1715
1716 tunnel->v4mapped = true;
1717 inet->inet_saddr = np->saddr.s6_addr32[3];
1718 inet->inet_rcv_saddr = np->rcv_saddr.s6_addr32[3];
1719 inet->inet_daddr = np->daddr.s6_addr32[3];
1720 } else {
1721 tunnel->v4mapped = false;
1722 }
1723 }
1724#endif
1725
1707 /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */ 1726 /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
1708 tunnel->encap = encap; 1727 tunnel->encap = encap;
1709 if (encap == L2TP_ENCAPTYPE_UDP) { 1728 if (encap == L2TP_ENCAPTYPE_UDP) {
@@ -1712,7 +1731,7 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
1712 udp_sk(sk)->encap_rcv = l2tp_udp_encap_recv; 1731 udp_sk(sk)->encap_rcv = l2tp_udp_encap_recv;
1713 udp_sk(sk)->encap_destroy = l2tp_udp_encap_destroy; 1732 udp_sk(sk)->encap_destroy = l2tp_udp_encap_destroy;
1714#if IS_ENABLED(CONFIG_IPV6) 1733#if IS_ENABLED(CONFIG_IPV6)
1715 if (sk->sk_family == PF_INET6) 1734 if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
1716 udpv6_encap_enable(); 1735 udpv6_encap_enable();
1717 else 1736 else
1718#endif 1737#endif
diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
index 66a559b104b6..6f251cbc2ed7 100644
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -194,6 +194,9 @@ struct l2tp_tunnel {
194 struct sock *sock; /* Parent socket */ 194 struct sock *sock; /* Parent socket */
195 int fd; /* Parent fd, if tunnel socket 195 int fd; /* Parent fd, if tunnel socket
196 * was created by userspace */ 196 * was created by userspace */
197#if IS_ENABLED(CONFIG_IPV6)
198 bool v4mapped;
199#endif
197 200
198 struct work_struct del_work; 201 struct work_struct del_work;
199 202
generated by cgit v1.2.2 (git 2.25.0) at 2024-12-28 03:26:56 -0500