From patchwork Sat Nov  5 07:40:29 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Eric Dumazet <eric.dumazet@gmail.com>
X-Patchwork-Id: 123826
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 9BECEB71A0
	for <patchwork-incoming@ozlabs.org>;
	Sat,  5 Nov 2011 18:40:44 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1750864Ab1KEHkj (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Sat, 5 Nov 2011 03:40:39 -0400
Received: from mail-wy0-f174.google.com ([74.125.82.174]:34766 "EHLO
	mail-wy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750810Ab1KEHkj (ORCPT
	<rfc822;netdev@vger.kernel.org>); Sat, 5 Nov 2011 03:40:39 -0400
Received: by wyh15 with SMTP id 15so2980551wyh.19
	for <netdev@vger.kernel.org>; Sat, 05 Nov 2011 00:40:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=message-id:subject:from:to:cc:date:in-reply-to:references
	:content-type:x-mailer:content-transfer-encoding:mime-version;
	bh=JCcl73ij76BvXE2ZljYPqq8aL5ncWdS6PR19axTuEmg=;
	b=s9HsUbwPG5sPLY2TFVehFGAcCpOkF61j/MYPuk8UU25IJhfS+EdLAzQIC7vzt0yC40
	yvTMrFZ1dx7i2zqSQENpKCIqsYpkootkSk6cfVxLoP4A1u/UonxD+6eQGcFG5mwFZKRK
	ZLNShK2TddWlLqNUGMPmL3JiWL7J6ZZow2gzc=
Received: by 10.180.95.200 with SMTP id dm8mr2256155wib.64.1320478837977;
	Sat, 05 Nov 2011 00:40:37 -0700 (PDT)
Received: from [192.168.1.21] (21.144.72.86.rev.sfr.net. [86.72.144.21])
	by mx.google.com with ESMTPS id j5sm1008691wix.20.2011.11.05.00.40.36
	(version=SSLv3 cipher=OTHER); Sat, 05 Nov 2011 00:40:36 -0700 (PDT)
Message-ID: <1320478829.16609.15.camel@edumazet-laptop>
Subject: Re: PROBLEM: pppol2tp over pppoe NULL pointer dereference
From: Eric Dumazet <eric.dumazet@gmail.com>
To: David Miller <davem@davemloft.net>
Cc: spiked.yar@gmail.com, netdev@vger.kernel.org
Date: Sat, 05 Nov 2011 08:40:29 +0100
In-Reply-To: <20111104.222851.1376278499619626232.davem@davemloft.net>
References: 
 <CAKpUy7Z5KOfHbKfBp-qg+77cED=OxUAkm2P4pQacHaHKmKBQpw@mail.gmail.com>
	<1320191893.4728.13.camel@edumazet-laptop>
	<20111104.222851.1376278499619626232.davem@davemloft.net>
X-Mailer: Evolution 3.2.0- 
Mime-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Le vendredi 04 novembre 2011 à 22:28 -0400, David Miller a écrit :
> From: Eric Dumazet <eric.dumazet@gmail.com>
> Date: Wed, 02 Nov 2011 00:58:13 +0100
> 
> > Please try following patch, thanks !
> > 
> > [PATCH] l2tp: handle fragmented skbs in receive path
> > 
> > Modern drivers provide skb with fragments, and L2TP doesnt properly
> > handles them.
> > 
> > Some bad frames can also trigger panics because of insufficent checks.
> > 
> > Reported-by: Misha Labjuk <spiked.yar@gmail.com>
> > Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
> 
> I'm still waiting for testing results of this patch.

Of course.

If you prefer, I can submit a smaller patch for the obvious bug first,
and I can respin the thing when net-next reopens.

[PATCH] l2tp: fix l2tp_udp_recv_core()

pskb_may_pull() can change skb->data, so we have to load ptr/optr at the
right place.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
---
 net/l2tp/l2tp_core.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index bf8d50c..cf0f308 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -756,9 +756,6 @@ static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb,
 		goto error;
 	}
 
-	/* Point to L2TP header */
-	optr = ptr = skb->data;
-
 	/* Trace packet contents, if enabled */
 	if (tunnel->debug & L2TP_MSG_DATA) {
 		length = min(32u, skb->len);
@@ -769,12 +766,15 @@ static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb,
 
 		offset = 0;
 		do {
-			printk(" %02X", ptr[offset]);
+			printk(" %02X", skb->data[offset]);
 		} while (++offset < length);
 
 		printk("\n");
 	}
 
+	/* Point to L2TP header */
+	optr = ptr = skb->data;
+
 	/* Get L2TP header flags */
 	hdrflags = ntohs(*(__be16 *) ptr);