l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels
authorGuillaume Nault <g.nault@alphalink.fr>
Fri, 15 Jun 2018 13:39:17 +0000 (15:39 +0200)
committerDavid S. Miller <davem@davemloft.net>
Fri, 15 Jun 2018 16:12:37 +0000 (09:12 -0700)
commitde9bada5d389903f4faf33980e6a95a2911c7e6d
tree3ad1d79de37cb8504ed31107e9ed76e5e05c1d85
parenteab9a2d5f323228405b5bacf2ff3fc4ad9cf81e5
l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels

The /proc/net/pppol2tp handlers (pppol2tp_seq_*()) iterate over all
L2TPv2 tunnels, and rightfully expect that only PPP sessions can be
found there. However, l2tp_netlink accepts creating Ethernet sessions
regardless of the underlying tunnel version.

This confuses pppol2tp_seq_session_show(), which expects that
l2tp_session_priv() returns a pppol2tp_session structure. When the
session is an Ethernet pseudo-wire, a struct l2tp_eth_sess is returned
instead. This leads to invalid memory access when
pppol2tp_session_get_sock() later tries to dereference ps->sk.

Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/l2tp/l2tp_netlink.c