Google Git
Sign in
kernel / pub / scm / linux / kernel / git / paulg / longterm-queue-4.8 / refs/tags/v4.8.23 / . / release / 4.8.23 / l2tp-avoid-use-after-free-caused-by-l2tp_ip_backlog_.patch
blob: af35ddfd109fa3a755c2af960f83f31909ae098a [file] [log] [blame]
From 9c981364a428c9ce3de68025745b357a59b0bab8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Paul=20H=C3=BCber?= <phueber@kernsp.in>
Date: Sun, 26 Feb 2017 17:58:19 +0100
Subject: [PATCH] l2tp: avoid use-after-free caused by l2tp_ip_backlog_recv
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
commit 51fb60eb162ab84c5edf2ae9c63cf0b878e5547e upstream.
l2tp_ip_backlog_recv may not return -1 if the packet gets dropped.
The return value is passed up to ip_local_deliver_finish, which treats
negative values as an IP protocol number for resubmission.
Signed-off-by: Paul HΓΌber <phueber@kernsp.in>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index 445b7cd0826a..48ab93842322 100644
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -383,7 +383,7 @@ static int l2tp_ip_backlog_recv(struct sock *sk, struct sk_buff *skb)
drop:
IP_INC_STATS(sock_net(sk), IPSTATS_MIB_INDISCARDS);
kfree_skb(skb);
- return -1;
+ return 0;
}
/* Userspace will call sendmsg() on the tunnel socket to send L2TP
--
2.12.0