| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20170215232849.12991-1-phueber@kernsp.in> Date: Thu, 16 Feb 2017 00:28:49 +0100 From: Paul Hüber <phueber@...nsp.in> To: "David S. Miller" <davem@...emloft.net> Cc: LKML <linux-kernel@...r.kernel.org> Subject: [PATCH] l2tp: avoid use-after-free caused by l2tp_ip_backlog_recv l2tp_ip_backlog_recv may not return -1 if the packet gets dropped, as the value is passed up to ip_local_deliver_finish, which treats negative values as an IP protocol number for resubmission. Signed-off-by: Paul Hüber <phueber@...nsp.in> --- net/l2tp/l2tp_ip.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c index 28c21546d5b6..3ed30153a6f5 100644 --- a/net/l2tp/l2tp_ip.c +++ b/net/l2tp/l2tp_ip.c @@ -381,7 +381,7 @@ static int l2tp_ip_backlog_recv(struct sock *sk, struct sk_buff *skb) drop: IP_INC_STATS(sock_net(sk), IPSTATS_MIB_INDISCARDS); kfree_skb(skb); - return -1; + return 0; } /* Userspace will call sendmsg() on the tunnel socket to send L2TP -- 2.11.1
Powered by blists - more mailing lists