netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH net 0/2] l2tp: l2tp_ppp must ignore non-PPP sessions
@ 2018-06-15 13:39 Guillaume Nault
  2018-06-15 13:39 ` [PATCH net 1/2] l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels Guillaume Nault
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Guillaume Nault @ 2018-06-15 13:39 UTC (permalink / raw)
  To: netdev; +Cc: James Chapman

The original L2TP code was written for version 2 of the protocol, which
could only carry PPP sessions. Then L2TPv3 generalised the protocol so that
it could transport different kinds of pseudo-wires. But parts of the
l2tp_ppp module still break in presence of non-PPP sessions.

Assuming L2TPv2 tunnels can only transport PPP sessions is right, but
l2tp_netlink failed to ensure that (fixed in patch 1).
When retrieving a session from an arbitrary tunnel, l2tp_ppp needs to
filter out non-PPP sessions (last occurrence fixed in patch 2).


Guillaume Nault (2):
  l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels
  l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()

 net/l2tp/l2tp_netlink.c | 6 ++++++
 net/l2tp/l2tp_ppp.c     | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

-- 
2.17.1

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH net 1/2] l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels
  2018-06-15 13:39 [PATCH net 0/2] l2tp: l2tp_ppp must ignore non-PPP sessions Guillaume Nault
@ 2018-06-15 13:39 ` Guillaume Nault
  2018-06-15 13:39 ` [PATCH net 2/2] l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl() Guillaume Nault
  2018-06-15 16:12 ` [PATCH net 0/2] l2tp: l2tp_ppp must ignore non-PPP sessions David Miller
  2 siblings, 0 replies; 4+ messages in thread
From: Guillaume Nault @ 2018-06-15 13:39 UTC (permalink / raw)
  To: netdev; +Cc: James Chapman

The /proc/net/pppol2tp handlers (pppol2tp_seq_*()) iterate over all
L2TPv2 tunnels, and rightfully expect that only PPP sessions can be
found there. However, l2tp_netlink accepts creating Ethernet sessions
regardless of the underlying tunnel version.

This confuses pppol2tp_seq_session_show(), which expects that
l2tp_session_priv() returns a pppol2tp_session structure. When the
session is an Ethernet pseudo-wire, a struct l2tp_eth_sess is returned
instead. This leads to invalid memory access when
pppol2tp_session_get_sock() later tries to dereference ps->sk.

Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
---
 net/l2tp/l2tp_netlink.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
index 6616c9fd292f..5b9900889e31 100644
--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -553,6 +553,12 @@ static int l2tp_nl_cmd_session_create(struct sk_buff *skb, struct genl_info *inf
 		goto out_tunnel;
 	}
 
+	/* L2TPv2 only accepts PPP pseudo-wires */
+	if (tunnel->version == 2 && cfg.pw_type != L2TP_PWTYPE_PPP) {
+		ret = -EPROTONOSUPPORT;
+		goto out_tunnel;
+	}
+
 	if (tunnel->version > 2) {
 		if (info->attrs[L2TP_ATTR_DATA_SEQ])
 			cfg.data_seq = nla_get_u8(info->attrs[L2TP_ATTR_DATA_SEQ]);
-- 
2.17.1

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH net 2/2] l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()
  2018-06-15 13:39 [PATCH net 0/2] l2tp: l2tp_ppp must ignore non-PPP sessions Guillaume Nault
  2018-06-15 13:39 ` [PATCH net 1/2] l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels Guillaume Nault
@ 2018-06-15 13:39 ` Guillaume Nault
  2018-06-15 16:12 ` [PATCH net 0/2] l2tp: l2tp_ppp must ignore non-PPP sessions David Miller
  2 siblings, 0 replies; 4+ messages in thread
From: Guillaume Nault @ 2018-06-15 13:39 UTC (permalink / raw)
  To: netdev; +Cc: James Chapman

pppol2tp_tunnel_ioctl() can act on an L2TPv3 tunnel, in which case
'session' may be an Ethernet pseudo-wire.

However, pppol2tp_session_ioctl() expects a PPP pseudo-wire, as it
assumes l2tp_session_priv() points to a pppol2tp_session structure. For
an Ethernet pseudo-wire l2tp_session_priv() points to an l2tp_eth_sess
structure instead, making pppol2tp_session_ioctl() access invalid
memory.

Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
---
 net/l2tp/l2tp_ppp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index f429fed06a1e..55188382845c 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -1201,7 +1201,7 @@ static int pppol2tp_tunnel_ioctl(struct l2tp_tunnel *tunnel,
 				l2tp_session_get(sock_net(sk), tunnel,
 						 stats.session_id);
 
-			if (session) {
+			if (session && session->pwtype == L2TP_PWTYPE_PPP) {
 				err = pppol2tp_session_ioctl(session, cmd,
 							     arg);
 				l2tp_session_dec_refcount(session);
-- 
2.17.1

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH net 0/2] l2tp: l2tp_ppp must ignore non-PPP sessions
  2018-06-15 13:39 [PATCH net 0/2] l2tp: l2tp_ppp must ignore non-PPP sessions Guillaume Nault
  2018-06-15 13:39 ` [PATCH net 1/2] l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels Guillaume Nault
  2018-06-15 13:39 ` [PATCH net 2/2] l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl() Guillaume Nault
@ 2018-06-15 16:12 ` David Miller
  2 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2018-06-15 16:12 UTC (permalink / raw)
  To: g.nault; +Cc: netdev, jchapman

From: Guillaume Nault <g.nault@alphalink.fr>
Date: Fri, 15 Jun 2018 15:39:15 +0200

> The original L2TP code was written for version 2 of the protocol, which
> could only carry PPP sessions. Then L2TPv3 generalised the protocol so that
> it could transport different kinds of pseudo-wires. But parts of the
> l2tp_ppp module still break in presence of non-PPP sessions.
> 
> Assuming L2TPv2 tunnels can only transport PPP sessions is right, but
> l2tp_netlink failed to ensure that (fixed in patch 1).
> When retrieving a session from an arbitrary tunnel, l2tp_ppp needs to
> filter out non-PPP sessions (last occurrence fixed in patch 2).

Series applied, thank you.

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-06-15 16:12 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-15 13:39 [PATCH net 0/2] l2tp: l2tp_ppp must ignore non-PPP sessions Guillaume Nault
2018-06-15 13:39 ` [PATCH net 1/2] l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels Guillaume Nault
2018-06-15 13:39 ` [PATCH net 2/2] l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl() Guillaume Nault
2018-06-15 16:12 ` [PATCH net 0/2] l2tp: l2tp_ppp must ignore non-PPP sessions David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).