• Guillaume Nault's avatar
    l2tp: don't use l2tp_tunnel_find() in l2tp_ip and l2tp_ip6 · 8f7dc9ae
    Guillaume Nault authored
    Using l2tp_tunnel_find() in l2tp_ip_recv() is wrong for two reasons:
      * It doesn't take a reference on the returned tunnel, which makes the
        call racy wrt. concurrent tunnel deletion.
      * The lookup is only based on the tunnel identifier, so it can return
        a tunnel that doesn't match the packet's addresses or protocol.
    For example, a packet sent to an L2TPv3 over IPv6 tunnel can be
    delivered to an L2TPv2 over UDPv4 tunnel. This is worse than a simple
    cross-talk: when delivering the packet to an L2TP over UDP tunnel, the
    corresponding socket is UDP, where ->sk_backlog_rcv() is NULL. Calling
    sk_receive_skb() will then crash the kernel by trying to execute this
    And l2tp_tunnel_find() isn't even needed here. __l2tp_ip_bind_lookup()
    properly checks the socket binding and connection settings. It was used
    as a fallback mechanism for finding tunnels that didn't have their data
    path registered yet. But it's not limited to this case and can be used
    to replace l2tp_tunnel_find() in the general case.
    Fix l2tp_ip6 in the same way.
    Fixes: 0d76751f ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support")
    Fixes: a32e0eec ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
    Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
l2tp_ip6.c 19.8 KB