| From: Guillaume Nault <g.nault@alphalink.fr> |
| Date: Mon, 23 Apr 2018 16:15:14 +0200 |
| Subject: l2tp: check sockaddr length in pppol2tp_connect() |
| |
| commit eb1c28c05894a4b1f6b56c5bf072205e64cfa280 upstream. |
| |
| Check sockaddr_len before dereferencing sp->sa_protocol, to ensure that |
| it actually points to valid data. |
| |
| Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") |
| Reported-by: syzbot+a70ac890b23b1bf29f5c@syzkaller.appspotmail.com |
| Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| net/l2tp/l2tp_ppp.c | 7 +++++++ |
| 1 file changed, 7 insertions(+) |
| |
| --- a/net/l2tp/l2tp_ppp.c |
| +++ b/net/l2tp/l2tp_ppp.c |
| @@ -641,6 +641,13 @@ static int pppol2tp_connect(struct socke |
| lock_sock(sk); |
| |
| error = -EINVAL; |
| + |
| + if (sockaddr_len != sizeof(struct sockaddr_pppol2tp) && |
| + sockaddr_len != sizeof(struct sockaddr_pppol2tpv3) && |
| + sockaddr_len != sizeof(struct sockaddr_pppol2tpin6) && |
| + sockaddr_len != sizeof(struct sockaddr_pppol2tpv3in6)) |
| + goto end; |
| + |
| if (sp->sa_protocol != PX_PROTO_OL2TP) |
| goto end; |
| |