| From: Guillaume Nault <g.nault@alphalink.fr> |
| Date: Fri, 15 Jun 2018 15:39:19 +0200 |
| Subject: l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl() |
| |
| commit ecd012e45ab5fd76ed57546865897ce35920f56b upstream. |
| |
| pppol2tp_tunnel_ioctl() can act on an L2TPv3 tunnel, in which case |
| 'session' may be an Ethernet pseudo-wire. |
| |
| However, pppol2tp_session_ioctl() expects a PPP pseudo-wire, as it |
| assumes l2tp_session_priv() points to a pppol2tp_session structure. For |
| an Ethernet pseudo-wire l2tp_session_priv() points to an l2tp_eth_sess |
| structure instead, making pppol2tp_session_ioctl() access invalid |
| memory. |
| |
| Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support") |
| Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| net/l2tp/l2tp_ppp.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/net/l2tp/l2tp_ppp.c |
| +++ b/net/l2tp/l2tp_ppp.c |
| @@ -1231,7 +1231,7 @@ static int pppol2tp_tunnel_ioctl(struct |
| l2tp_session_get(sock_net(sk), tunnel, |
| stats.session_id, true); |
| |
| - if (session) { |
| + if (session && session->pwtype == L2TP_PWTYPE_PPP) { |
| err = pppol2tp_session_ioctl(session, cmd, |
| arg); |
| if (session->deref) |