l2tp: only accept PPP sessions in pppol2tp_connect()
authorGuillaume Nault <g.nault@alphalink.fr>
Wed, 13 Jun 2018 13:09:19 +0000 (15:09 +0200)
committerDavid S. Miller <davem@davemloft.net>
Fri, 15 Jun 2018 00:10:19 +0000 (17:10 -0700)
l2tp_session_priv() returns a struct pppol2tp_session pointer only for
PPPoL2TP sessions. In particular, if the session is an L2TP_PWTYPE_ETH
pseudo-wire, l2tp_session_priv() returns a pointer to an l2tp_eth_sess
structure, which is much smaller than struct pppol2tp_session. This
leads to invalid memory dereference when trying to lock ps->sk_lock.

Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/l2tp/l2tp_ppp.c

index 270a0a999eafc19d4438f7561ec19abdd74be1cd..8b3b6947a07d7f08127a444ec4e7089b7188cb80 100644 (file)
@@ -734,6 +734,12 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
        session = l2tp_session_get(sock_net(sk), tunnel, session_id);
        if (session) {
                drop_refcnt = true;
+
+               if (session->pwtype != L2TP_PWTYPE_PPP) {
+                       error = -EPROTOTYPE;
+                       goto end;
+               }
+
                ps = l2tp_session_priv(session);
 
                /* Using a pre-existing session is fine as long as it hasn't