| From: Guillaume Nault <g.nault@alphalink.fr> |
| Date: Fri, 15 Jun 2018 15:39:17 +0200 |
| Subject: l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels |
| |
| commit de9bada5d389903f4faf33980e6a95a2911c7e6d upstream. |
| |
| The /proc/net/pppol2tp handlers (pppol2tp_seq_*()) iterate over all |
| L2TPv2 tunnels, and rightfully expect that only PPP sessions can be |
| found there. However, l2tp_netlink accepts creating Ethernet sessions |
| regardless of the underlying tunnel version. |
| |
| This confuses pppol2tp_seq_session_show(), which expects that |
| l2tp_session_priv() returns a pppol2tp_session structure. When the |
| session is an Ethernet pseudo-wire, a struct l2tp_eth_sess is returned |
| instead. This leads to invalid memory access when |
| pppol2tp_session_get_sock() later tries to dereference ps->sk. |
| |
| Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support") |
| Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| net/l2tp/l2tp_netlink.c | 6 ++++++ |
| 1 file changed, 6 insertions(+) |
| |
| --- a/net/l2tp/l2tp_netlink.c |
| +++ b/net/l2tp/l2tp_netlink.c |
| @@ -460,6 +460,12 @@ static int l2tp_nl_cmd_session_create(st |
| goto out_tunnel; |
| } |
| |
| + /* L2TPv2 only accepts PPP pseudo-wires */ |
| + if (tunnel->version == 2 && cfg.pw_type != L2TP_PWTYPE_PPP) { |
| + ret = -EPROTONOSUPPORT; |
| + goto out_tunnel; |
| + } |
| + |
| if (tunnel->version > 2) { |
| if (info->attrs[L2TP_ATTR_OFFSET]) |
| cfg.offset = nla_get_u16(info->attrs[L2TP_ATTR_OFFSET]); |
