Message ID | 1270367668.1971.3.camel@edumazet-laptop |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
From: Eric Dumazet <eric.dumazet@gmail.com> Date: Sun, 04 Apr 2010 09:54:28 +0200 > [PATCH net-next-2.6] l2tp: unmanaged L2TPv3 tunnels fixes > > Followup to commit 789a4a2c > (l2tp: Add support for static unmanaged L2TPv3 tunnels) > > One missing init in l2tp_tunnel_sock_create() could access random kernel > memory, and a bit field should be unsigned. > > Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Applied, thanks Eric. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Le dimanche 04 avril 2010 à 01:02 -0700, David Miller a écrit : > From: Eric Dumazet <eric.dumazet@gmail.com> > Date: Sun, 04 Apr 2010 09:54:28 +0200 > > > [PATCH net-next-2.6] l2tp: unmanaged L2TPv3 tunnels fixes > > > > Followup to commit 789a4a2c > > (l2tp: Add support for static unmanaged L2TPv3 tunnels) > > > > One missing init in l2tp_tunnel_sock_create() could access random kernel > > memory, and a bit field should be unsigned. > > > > Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> > > Applied, thanks Eric. I am going to work on net/l2tp/l2tp_core.c, since RCU conversion is wrong (but original code was wong too...) Example : There is no real protection in following code, since no refcount is taken on session before releasing rcu_read_lock : static struct l2tp_session *l2tp_session_find_2(struct net *net, u32 session_id) { struct l2tp_net *pn = l2tp_pernet(net); struct hlist_head *session_list = l2tp_session_id_hash_2(pn, session_id); struct l2tp_session *session; struct hlist_node *walk; rcu_read_lock_bh(); hlist_for_each_entry_rcu(session, walk, session_list, global_hlist) { if (session->session_id == session_id) { rcu_read_unlock_bh(); return session; } } rcu_read_unlock_bh(); return NULL; } -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c index 13ed85b..98dfcce 100644 --- a/net/l2tp/l2tp_core.c +++ b/net/l2tp/l2tp_core.c @@ -1227,7 +1227,7 @@ static int l2tp_tunnel_sock_create(u32 tunnel_id, u32 peer_tunnel_id, struct l2t int err = -EINVAL; struct sockaddr_in udp_addr; struct sockaddr_l2tpip ip_addr; - struct socket *sock; + struct socket *sock = NULL; switch (cfg->encap) { case L2TP_ENCAPTYPE_UDP: diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h index 91b1b9c..f0f318e 100644 --- a/net/l2tp/l2tp_core.h +++ b/net/l2tp/l2tp_core.h @@ -152,7 +152,7 @@ struct l2tp_tunnel_cfg { struct in_addr peer_ip; u16 local_udp_port; u16 peer_udp_port; - int use_udp_checksums:1; + unsigned int use_udp_checksums:1; }; struct l2tp_tunnel {