From patchwork Fri Jun 15 13:39:17 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Guillaume Nault <g.nault@alphalink.fr>
X-Patchwork-Id: 929947
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=alphalink.fr
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 416hRp5j5kz9s3C
	for <patchwork-incoming-netdev@ozlabs.org>;
	Fri, 15 Jun 2018 23:39:34 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S965771AbeFONjb (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Fri, 15 Jun 2018 09:39:31 -0400
Received: from zimbra.alphalink.fr ([217.15.80.77]:43955 "EHLO
	zimbra.alphalink.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S936266AbeFONjU (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 15 Jun 2018 09:39:20 -0400
Received: from localhost (localhost [127.0.0.1])
	by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id
	C294F2B520ED; Fri, 15 Jun 2018 15:39:18 +0200 (CEST)
Received: from zimbra.alphalink.fr ([127.0.0.1])
	by localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1])
	(amavisd-new, port 10032)
	with ESMTP id lKhMBw1lkMIa; Fri, 15 Jun 2018 15:39:17 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id
	87E602B520B2; Fri, 15 Jun 2018 15:39:17 +0200 (CEST)
X-Virus-Scanned: amavisd-new at mail-2-cbv2.admin.alphalink.fr
Received: from zimbra.alphalink.fr ([127.0.0.1])
	by localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1])
	(amavisd-new, port 10026)
	with ESMTP id lPoxN4dJbfPg; Fri, 15 Jun 2018 15:39:17 +0200 (CEST)
Received: from c-dev-0.admin.alphalink.fr (94-84-15-217.reverse.alphalink.fr
	[217.15.84.94])
	by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id
	6702F2B520B9; Fri, 15 Jun 2018 15:39:17 +0200 (CEST)
Received: by c-dev-0.admin.alphalink.fr (Postfix, from userid 1000)
	id 3D6EF600AD; Fri, 15 Jun 2018 15:39:17 +0200 (CEST)
Date: Fri, 15 Jun 2018 15:39:17 +0200
From: Guillaume Nault <g.nault@alphalink.fr>
To: netdev@vger.kernel.org
Cc: James Chapman <jchapman@katalix.com>
Subject: [PATCH net 1/2] l2tp: reject creation of non-PPP sessions on L2TPv2
	tunnels
Message-ID: 
 <13b7cc3e6728f0f0ff93b091b932dbd217c45b3b.1529065935.git.g.nault@alphalink.fr>
References: <cover.1529065935.git.g.nault@alphalink.fr>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1529065935.git.g.nault@alphalink.fr>
X-Mutt-Fcc: =Sent
User-Agent: Mutt/1.10.0 (2018-05-17)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

The /proc/net/pppol2tp handlers (pppol2tp_seq_*()) iterate over all
L2TPv2 tunnels, and rightfully expect that only PPP sessions can be
found there. However, l2tp_netlink accepts creating Ethernet sessions
regardless of the underlying tunnel version.

This confuses pppol2tp_seq_session_show(), which expects that
l2tp_session_priv() returns a pppol2tp_session structure. When the
session is an Ethernet pseudo-wire, a struct l2tp_eth_sess is returned
instead. This leads to invalid memory access when
pppol2tp_session_get_sock() later tries to dereference ps->sk.

Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
---
 net/l2tp/l2tp_netlink.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
index 6616c9fd292f..5b9900889e31 100644
--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -553,6 +553,12 @@ static int l2tp_nl_cmd_session_create(struct sk_buff *skb, struct genl_info *inf
 		goto out_tunnel;
 	}
 
+	/* L2TPv2 only accepts PPP pseudo-wires */
+	if (tunnel->version == 2 && cfg.pw_type != L2TP_PWTYPE_PPP) {
+		ret = -EPROTONOSUPPORT;
+		goto out_tunnel;
+	}
+
 	if (tunnel->version > 2) {
 		if (info->attrs[L2TP_ATTR_DATA_SEQ])
 			cfg.data_seq = nla_get_u8(info->attrs[L2TP_ATTR_DATA_SEQ]);