From patchwork Tue Jan 22 09:08:14 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jacob Wen X-Patchwork-Id: 1029144 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=oracle.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=oracle.com header.i=@oracle.com header.b="nX6WYMDZ"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43kMzD1nQ7z9s55 for ; Tue, 22 Jan 2019 20:08:40 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727602AbfAVJIj (ORCPT ); Tue, 22 Jan 2019 04:08:39 -0500 Received: from aserp2130.oracle.com ([141.146.126.79]:54604 "EHLO aserp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727208AbfAVJIi (ORCPT ); Tue, 22 Jan 2019 04:08:38 -0500 Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1]) by aserp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id x0M947Vc033416 for ; Tue, 22 Jan 2019 09:08:37 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : subject : date : message-id; s=corp-2018-07-02; bh=OJcLy2A9NpBFaUMP6X0uZ1g2BKM1I10KykfjpDsKF1I=; b=nX6WYMDZpVYPiCElgcEV5aLdP/Dolb9sZF6JSMngr3HXNVrUINu/AMZHaE8sajHcmDIm JrYWm3jKI+pyj/Rh2k5z6wlwwsJBul3L5K7K3BLTATcSumshCcWJPRTLbb+uvhG7XMZz WAoCUuPI7Ed+0tZP365nlJ+ngDhzlYvSrx25qQyr4YFsqJOQW3bwXC4znka9jl011Wqn nFE/nbMOuGz7VqJ8hPFMfVnRgONMF8Ds1Trzfb9jv1bnnWyfjfIFSV3OEo9b8PMC5SdL LfDyeyhBcqoyMf5N+fTashJHT8lOWQu5SBbARPxHTbMyG8WSBN6+7GEWivaOrCBco+Mj 3w== Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by aserp2130.oracle.com with ESMTP id 2q3sdeadsd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Tue, 22 Jan 2019 09:08:37 +0000 Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id x0M98aGk019440 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Tue, 22 Jan 2019 09:08:36 GMT Received: from abhmp0016.oracle.com (abhmp0016.oracle.com [141.146.116.22]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id x0M98awk022852 for ; Tue, 22 Jan 2019 09:08:36 GMT Received: from jw-M900.cn.oracle.com (/10.182.69.163) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 22 Jan 2019 01:08:36 -0800 From: Jacob Wen To: netdev@vger.kernel.org Subject: [PATCH] net: l2tp: fix reading optional fields Date: Tue, 22 Jan 2019 17:08:14 +0800 Message-Id: <20190122090814.17650-1-jian.w.wen@oracle.com> X-Mailer: git-send-email 2.17.1 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9143 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=1 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901220074 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Use pskb_may_pull() to make sure the optional fields are in skb linear parts. Signed-off-by: Jacob Wen --- net/l2tp/l2tp_core.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c index 26f1d435696a..7df927bd4202 100644 --- a/net/l2tp/l2tp_core.c +++ b/net/l2tp/l2tp_core.c @@ -627,6 +627,8 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb, /* Parse and check optional cookie */ if (session->peer_cookie_len > 0) { + if (!pskb_may_pull(skb, ptr - optr + session->peer_cookie_len)) + goto discard; if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) { l2tp_info(tunnel, L2TP_MSG_DATA, "%s: cookie mismatch (%u/%u). Discarding.\n", @@ -649,6 +651,8 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb, L2TP_SKB_CB(skb)->has_seq = 0; if (tunnel->version == L2TP_HDR_VER_2) { if (hdrflags & L2TP_HDRFLAG_S) { + if (!pskb_may_pull(skb, ptr - optr + 4)) + goto discard; ns = ntohs(*(__be16 *) ptr); ptr += 2; nr = ntohs(*(__be16 *) ptr); @@ -663,6 +667,9 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb, session->name, ns, nr, session->nr); } } else if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) { + if (!pskb_may_pull(skb, ptr - optr + 4)) + goto discard; + u32 l2h = ntohl(*(__be32 *) ptr); if (l2h & 0x40000000) { @@ -729,6 +736,9 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb, if (tunnel->version == L2TP_HDR_VER_2) { /* If offset bit set, skip it. */ if (hdrflags & L2TP_HDRFLAG_O) { + if (!pskb_may_pull(skb, ptr - optr + 2)) + goto discard; + offset = ntohs(*(__be16 *)ptr); ptr += 2 + offset; }