Commit de9bada5 authored Jun 15, 2018 by Guillaume Nault Committed by David S. Miller Jun 15, 2018

l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels



The /proc/net/pppol2tp handlers (pppol2tp_seq_*()) iterate over all
L2TPv2 tunnels, and rightfully expect that only PPP sessions can be
found there. However, l2tp_netlink accepts creating Ethernet sessions
regardless of the underlying tunnel version.

This confuses pppol2tp_seq_session_show(), which expects that
l2tp_session_priv() returns a pppol2tp_session structure. When the
session is an Ethernet pseudo-wire, a struct l2tp_eth_sess is returned
instead. This leads to invalid memory access when
pppol2tp_session_get_sock() later tries to dereference ps->sk.

Fixes: d9e31d17 ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent eab9a2d5

net/l2tp/l2tp_netlink.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -553,6 +553,12 @@ static int l2tp_nl_cmd_session_create(struct sk_buff skb, struct genl_info inf
		goto out_tunnel;
		}

		/* L2TPv2 only accepts PPP pseudo-wires */
		if (tunnel->version == 2 && cfg.pw_type != L2TP_PWTYPE_PPP) {
		ret = -EPROTONOSUPPORT;
		goto out_tunnel;
		}

		if (tunnel->version > 2) {
		if (info->attrs[L2TP_ATTR_DATA_SEQ])
		cfg.data_seq = nla_get_u8(info->attrs[L2TP_ATTR_DATA_SEQ]);