l2tp: fix lookup for sockets not bound to a device in l2tp_ip
authorGuillaume Nault <g.nault@alphalink.fr>
Tue, 29 Nov 2016 12:09:47 +0000 (13:09 +0100)
committerDavid S. Miller <davem@davemloft.net>
Wed, 30 Nov 2016 19:14:08 +0000 (14:14 -0500)
When looking up an l2tp socket, we must consider a null netdevice id as
wild card. There are currently two problems caused by
__l2tp_ip_bind_lookup() not considering 'dif' as wild card when set to 0:

  * A socket bound to a device (i.e. with sk->sk_bound_dev_if != 0)
    never receives any packet. Since __l2tp_ip_bind_lookup() is called
    with dif == 0 in l2tp_ip_recv(), sk->sk_bound_dev_if is always
    different from 'dif' so the socket doesn't match.

  * Two sockets, one bound to a device but not the other, can be bound
    to the same address. If the first socket binding to the address is
    the one that is also bound to a device, the second socket can bind
    to the same address without __l2tp_ip_bind_lookup() noticing the
    overlap.

To fix this issue, we need to consider that any null device index, be
it 'sk->sk_bound_dev_if' or 'dif', matches with any other value.
We also need to pass the input device index to __l2tp_ip_bind_lookup()
on reception so that sockets bound to a device never receive packets
from other devices.

This patch fixes l2tp_ip6 in the same way.

Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/l2tp/l2tp_ip.c
net/l2tp/l2tp_ip6.c

index b517c33669227380a723bb6a9e9585b6b647a4e2..8938b6ba57a037b6f95f9dcfd2461d7c3951cdfb 100644 (file)
@@ -61,7 +61,8 @@ static struct sock *__l2tp_ip_bind_lookup(struct net *net, __be32 laddr, int dif
                if ((l2tp->conn_id == tunnel_id) &&
                    net_eq(sock_net(sk), net) &&
                    !(inet->inet_rcv_saddr && inet->inet_rcv_saddr != laddr) &&
-                   !(sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif))
+                   (!sk->sk_bound_dev_if || !dif ||
+                    sk->sk_bound_dev_if == dif))
                        goto found;
        }
 
@@ -182,7 +183,8 @@ pass_up:
                struct iphdr *iph = (struct iphdr *) skb_network_header(skb);
 
                read_lock_bh(&l2tp_ip_lock);
-               sk = __l2tp_ip_bind_lookup(net, iph->daddr, 0, tunnel_id);
+               sk = __l2tp_ip_bind_lookup(net, iph->daddr, inet_iif(skb),
+                                          tunnel_id);
                if (!sk) {
                        read_unlock_bh(&l2tp_ip_lock);
                        goto discard;
index 5f2ae615c5f92fcbc9b6c9a793d726ec78a4f4f0..4a8644001d096c0c5158d90cee3a3de0e76742fb 100644 (file)
@@ -73,7 +73,8 @@ static struct sock *__l2tp_ip6_bind_lookup(struct net *net,
                if ((l2tp->conn_id == tunnel_id) &&
                    net_eq(sock_net(sk), net) &&
                    !(addr && ipv6_addr_equal(addr, laddr)) &&
-                   !(sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif))
+                   (!sk->sk_bound_dev_if || !dif ||
+                    sk->sk_bound_dev_if == dif))
                        goto found;
        }
 
@@ -196,8 +197,8 @@ pass_up:
                struct ipv6hdr *iph = ipv6_hdr(skb);
 
                read_lock_bh(&l2tp_ip6_lock);
-               sk = __l2tp_ip6_bind_lookup(net, &iph->daddr,
-                                           0, tunnel_id);
+               sk = __l2tp_ip6_bind_lookup(net, &iph->daddr, inet6_iif(skb),
+                                           tunnel_id);
                if (!sk) {
                        read_unlock_bh(&l2tp_ip6_lock);
                        goto discard;