| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20180413.121525.1987403291146818781.davem@davemloft.net>
Date: Fri, 13 Apr 2018 12:15:25 -0400 (EDT)
From: David Miller <davem@...emloft.net>
To: g.nault@...halink.fr
Cc: netdev@...r.kernel.org, jchapman@...alix.com
Subject: Re: [PATCH net 1/3] l2tp: hold reference on tunnels in netlink
dumps
From: Guillaume Nault <g.nault@...halink.fr>
Date: Fri, 13 Apr 2018 18:09:12 +0200
> On Fri, Apr 13, 2018 at 10:57:03AM -0400, David Miller wrote:
>> From: Guillaume Nault <g.nault@...halink.fr>
>> Date: Thu, 12 Apr 2018 20:50:33 +0200
>>
>> > l2tp_tunnel_find_nth() is unsafe: no reference is held on the returned
>> > tunnel, therefore it can be freed whenever the caller uses it.
>> > This patch defines l2tp_tunnel_get_nth() which works similarly, but
>> > also takes a reference on the returned tunnel. The caller then has to
>> > drop it after it stops using the tunnel.
>> >
>> > Convert netlink dumps to make them safe against concurrent tunnel
>> > deletion.
>> >
>> > Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
>> > Signed-off-by: Guillaume Nault <g.nault@...halink.fr>
>>
>> During the entire invocation of l2tp_nl_cmd_tunnel_dump(), the RTNL
>> mutex is held.
>>
>> Therefore no tunnel configuration changes may occur and the tunnel
>> object will persist and is safe to access.
>>
> Yes, but only for updates done with the genl API. For L2TPv2, the
> tunnel can be created by connecting a PPPOL2TP and a UDP socket.
> Closing these sockets destroys the tunnel without any RTNL
> synchronisation.
Right, that's the part I missed. Thanks for explaining.
Powered by blists - more mailing lists