Message ID | 20200529183225.150288-1-edumazet@google.com |
---|---|
State | Accepted |
Delegated to: | David Miller |
Headers | show |
Series | [net] l2tp: add sk_family checks to l2tp_validate_socket | expand |
On Fri, May 29, 2020 at 11:32:25AM -0700, Eric Dumazet wrote: > syzbot was able to trigger a crash after using an ISDN socket > and fool l2tp. > > Fix this by making sure the UDP socket is of the proper family. > > --- a/net/l2tp/l2tp_core.c > +++ b/net/l2tp/l2tp_core.c > @@ -1458,6 +1458,9 @@ static int l2tp_validate_socket(const struct sock *sk, const struct net *net, > if (sk->sk_type != SOCK_DGRAM) > return -EPROTONOSUPPORT; > > + if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6) > + return -EPROTONOSUPPORT; > + > if ((encap == L2TP_ENCAPTYPE_UDP && sk->sk_protocol != IPPROTO_UDP) || > (encap == L2TP_ENCAPTYPE_IP && sk->sk_protocol != IPPROTO_L2TP)) > return -EPROTONOSUPPORT; > Thanks a lot! Acked-by: Guillaume Nault <gnault@redhat.com>
From: Eric Dumazet <edumazet@google.com> Date: Fri, 29 May 2020 11:32:25 -0700 > syzbot was able to trigger a crash after using an ISDN socket > and fool l2tp. > > Fix this by making sure the UDP socket is of the proper family. ... > Fixes: 6b9f34239b00 ("l2tp: fix races in tunnel creation") > Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") > Signed-off-by: Eric Dumazet <edumazet@google.com> > Cc: James Chapman <jchapman@katalix.com> > Cc: Guillaume Nault <gnault@redhat.com> > Reported-by: syzbot <syzkaller@googlegroups.com> Applied and queued up for -stable, thanks.
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c index fcb53ed1c4fb98de3d60c52542e4c4260582bf3a..6d7ef78c88af059a4cbfb5d89f32ad6d1babfe74 100644 --- a/net/l2tp/l2tp_core.c +++ b/net/l2tp/l2tp_core.c @@ -1458,6 +1458,9 @@ static int l2tp_validate_socket(const struct sock *sk, const struct net *net, if (sk->sk_type != SOCK_DGRAM) return -EPROTONOSUPPORT; + if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6) + return -EPROTONOSUPPORT; + if ((encap == L2TP_ENCAPTYPE_UDP && sk->sk_protocol != IPPROTO_UDP) || (encap == L2TP_ENCAPTYPE_IP && sk->sk_protocol != IPPROTO_L2TP)) return -EPROTONOSUPPORT;