| From: Guillaume Nault <g.nault@alphalink.fr> |
| Date: Wed, 13 Jun 2018 15:09:20 +0200 |
| Subject: l2tp: prevent pppol2tp_connect() from creating kernel sockets |
| |
| commit 3e1bc8bf974e2d4e7beb842a4c801c2542eff3bd upstream. |
| |
| If 'fd' is negative, l2tp_tunnel_create() creates a tunnel socket using |
| the configuration passed in 'tcfg'. Currently, pppol2tp_connect() sets |
| the relevant fields to zero, tricking l2tp_tunnel_create() into setting |
| up an unusable kernel socket. |
| |
| We can't set 'tcfg' with the required fields because there's no way to |
| get them from the current connect() parameters. So let's restrict |
| kernel sockets creation to the netlink API, which is the original use |
| case. |
| |
| Fixes: 789a4a2c61d8 ("l2tp: Add support for static unmanaged L2TPv3 tunnels") |
| Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| net/l2tp/l2tp_ppp.c | 9 +++++++++ |
| 1 file changed, 9 insertions(+) |
| |
| --- a/net/l2tp/l2tp_ppp.c |
| +++ b/net/l2tp/l2tp_ppp.c |
| @@ -723,6 +723,15 @@ static int pppol2tp_connect(struct socke |
| .encap = L2TP_ENCAPTYPE_UDP, |
| .debug = 0, |
| }; |
| + |
| + /* Prevent l2tp_tunnel_register() from trying to set up |
| + * a kernel socket. |
| + */ |
| + if (fd < 0) { |
| + error = -EBADF; |
| + goto end; |
| + } |
| + |
| error = l2tp_tunnel_create(sock_net(sk), fd, ver, tunnel_id, peer_tunnel_id, &tcfg, &tunnel); |
| if (error < 0) |
| goto end; |
