lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sun, 05 Nov 2017 22:22:28 +0900 (KST)
From:   David Miller <davem@...emloft.net>
To:     g.nault@...halink.fr
Cc:     netdev@...r.kernel.org, jchapman@...alix.com, celston@...alix.com
Subject: Re: [PATCH net] l2tp: don't use l2tp_tunnel_find() in l2tp_ip and
 l2tp_ip6

From: Guillaume Nault <g.nault@...halink.fr>
Date: Fri, 3 Nov 2017 16:49:00 +0100

> Using l2tp_tunnel_find() in l2tp_ip_recv() is wrong for two reasons:
> 
>   * It doesn't take a reference on the returned tunnel, which makes the
>     call racy wrt. concurrent tunnel deletion.
> 
>   * The lookup is only based on the tunnel identifier, so it can return
>     a tunnel that doesn't match the packet's addresses or protocol.
> 
> For example, a packet sent to an L2TPv3 over IPv6 tunnel can be
> delivered to an L2TPv2 over UDPv4 tunnel. This is worse than a simple
> cross-talk: when delivering the packet to an L2TP over UDP tunnel, the
> corresponding socket is UDP, where ->sk_backlog_rcv() is NULL. Calling
> sk_receive_skb() will then crash the kernel by trying to execute this
> callback.
> 
> And l2tp_tunnel_find() isn't even needed here. __l2tp_ip_bind_lookup()
> properly checks the socket binding and connection settings. It was used
> as a fallback mechanism for finding tunnels that didn't have their data
> path registered yet. But it's not limited to this case and can be used
> to replace l2tp_tunnel_find() in the general case.
> 
> Fix l2tp_ip6 in the same way.
> 
> Fixes: 0d76751fad77 ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support")
> Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
> Signed-off-by: Guillaume Nault <g.nault@...halink.fr>

Applied, thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ