| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20200721173221.4681-30-tparkin@katalix.com>
Date: Tue, 21 Jul 2020 18:32:21 +0100
From: Tom Parkin <tparkin@...alix.com>
To: netdev@...r.kernel.org
Cc: Tom Parkin <tparkin@...alix.com>
Subject: [PATCH 29/29] l2tp: WARN_ON rather than BUG_ON in l2tp_session_free
l2tp_session_free called BUG_ON if the tunnel magic feather value wasn't
correct. The intent of this was to catch lifetime bugs; for example
early tunnel free due to incorrect use of reference counts.
Since the tunnel magic feather being wrong indicates either early free
or structure corruption, we can avoid doing more damage by simply
leaving the tunnel structure alone. If the tunnel refcount isn't
dropped when it should be, the tunnel instance will remain in the
kernel, resulting in the tunnel structure and socket leaking.
Signed-off-by: Tom Parkin <tparkin@...alix.com>
---
net/l2tp/l2tp_core.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 34dacb14042f..64c4350b8eb4 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1566,8 +1566,10 @@ void l2tp_session_free(struct l2tp_session *session)
struct l2tp_tunnel *tunnel = session->tunnel;
if (tunnel) {
- BUG_ON(tunnel->magic != L2TP_TUNNEL_MAGIC);
- l2tp_tunnel_dec_refcount(tunnel);
+ if (tunnel->magic == L2TP_TUNNEL_MAGIC)
+ l2tp_tunnel_dec_refcount(tunnel);
+ else
+ WARN_ON(tunnel->magic != L2TP_TUNNEL_MAGIC);
}
kfree(session);
--
2.17.1
Powered by blists - more mailing lists