| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 17 Apr 2012 14:48:54 +0200
From: Eric Dumazet <eric.dumazet@...il.com>
To: James Chapman <jchapman@...alix.com>
Cc: netdev@...r.kernel.org, bcrl@...ck.org
Subject: Re: [RFC PATCH 2/2] l2tp: Introduce L2TPv3 IP encapsulation
support for IPv6
On Tue, 2012-04-17 at 13:29 +0100, James Chapman wrote:
> L2TPv3 defines an IP encapsulation packet format where data is carried
> directly over IP (no UDP). The kernel already has support for L2TP IP
> encapsulation over IPv4 (l2tp_ip). This patch introduces support for L2TP
> IP encapsulation over IPv6.
...
> + /* Check if the address belongs to the host. */
> + if (addr_type != IPV6_ADDR_ANY) {
> + struct net_device *dev = NULL;
> +
> + if (addr_type & IPV6_ADDR_LINKLOCAL) {
> + if (addr_len >= sizeof(struct sockaddr_in6) &&
> + addr->l2tp_scope_id) {
> + /* Override any existing binding, if another
> + * one is supplied by user.
> + */
> + sk->sk_bound_dev_if = addr->l2tp_scope_id;
> + }
> +
> + /* Binding to link-local address requires an
> + interface */
> + if (!sk->sk_bound_dev_if)
> + goto out_unlock;
> +
> + err = -ENODEV;
> + rcu_read_lock();
> + dev = dev_get_by_index_rcu(sock_net(sk),
> + sk->sk_bound_dev_if);
> + rcu_read_unlock();
Here you can not dereference dev, since it can disappear after
rcu_read_unlock()
> + if (!dev)
> + goto out_unlock;
> + }
> +
> + /* ipv4 addr of the socket is invalid. Only the
> + * unspecified and mapped address have a v4 equivalent.
> + */
> + v4addr = LOOPBACK4_IPV6;
> + err = -EADDRNOTAVAIL;
So I suspect a potential problem here :
> + if (!ipv6_chk_addr(sock_net(sk), &addr->l2tp_addr, dev, 0))
> + goto out_unlock;
> + }
> +
...
> +back_from_confirm:
> + lock_sock(sk);
> + err = ip6_append_data(sk, ip_generic_getfrag, msg->msg_iov,
> + ulen, transhdrlen, hlimit, tclass, opt,
> + &fl6, (struct rt6_info *)dst,
> + msg->msg_flags, dontfrag);
> + if (err)
> + ip6_flush_pending_frames(sk);
> + else if (!(msg->msg_flags & MSG_MORE))
> + err = l2tp_ip6_push_pending_frames(sk);
> + release_sock(sk);
> +done:
> + dst_release(dst);
> +out:
> + fl6_sock_release(flowlabel);
> +
> + /* Update stats */
> + if (err < 0) {
> + lsk->tx_errors++;
> + } else {
> + lsk->tx_packets++;
This is not SMP (especially on 32bit) safe, you dont own any lock
> + lsk->tx_bytes += len;
> + }
> +
> + return err < 0 ? err : len;
> +
> +do_confirm:
> + dst_confirm(dst);
> + if (!(msg->msg_flags & MSG_PROBE) || len)
> + goto back_from_confirm;
> + err = 0;
> + goto done;
> +}
> +
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists