mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-06 19:07:52 +00:00
Code Issues Releases Wiki Activity
linux-stable/net
History
Jacob Wen 3924ebe54f l2tp: fix reading optional fields of L2TPv3 
[ Upstream commit 4522a70db7 ]

Use pskb_may_pull() to make sure the optional fields are in skb linear
parts, so we can safely read them later.

It's easy to reproduce the issue with a net driver that supports paged
skb data. Just create a L2TPv3 over IP tunnel and then generates some
network traffic.
Once reproduced, rx err in /sys/kernel/debug/l2tp/tunnels will increase.

Changes in v4:
1. s/l2tp_v3_pull_opt/l2tp_v3_ensure_opt_in_linear/
2. s/tunnel->version != L2TP_HDR_VER_2/tunnel->version == L2TP_HDR_VER_3/
3. Add 'Fixes' in commit messages.

Changes in v3:
1. To keep consistency, move the code out of l2tp_recv_common.
2. Use "net" instead of "net-next", since this is a bug fix.

Changes in v2:
1. Only fix L2TPv3 to make code simple.
   To fix both L2TPv3 and L2TPv2, we'd better refactor l2tp_recv_common.
   It's complicated to do so.
2. Reloading pointers after pskb_may_pull

Fixes: f7faffa3ff ("l2tp: Add L2TPv3 protocol support")
Fixes: 0d76751fad ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support")
Fixes: a32e0eec70 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
Signed-off-by: Jacob Wen <jian.w.wen@oracle.com>
Acked-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-02-06 17:31:33 +01:00
..
6lowpan 6lowpan: iphc: reset mac_header after decompress to fix panic 2018-10-03 17:00:47 -07:00
9p 9p/net: put a lower bound on msize 2019-01-13 10:01:06 +01:00
802 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
8021q net: fix use-after-free in GRO with ESP 2018-07-22 14:28:44 +02:00
appletalk License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
atm atm: Preserve value of skb->truesize when accounting to vcc 2018-07-22 14:28:43 +02:00
ax25 ax25: fix a use-after-free in ax25_fillin_cb() 2019-01-09 17:14:43 +01:00
batman-adv batman-adv: Expand merged fragment buffer for full packet 2018-12-13 09:18:46 +01:00
bluetooth Bluetooth: SMP: fix crash in unpairing 2018-11-04 14:52:39 +01:00
bpf
bridge net: Fix usage of pskb_trim_rcsum 2019-01-31 08:13:41 +01:00
caif net: caif: Add a missing rcu_read_unlock() in caif_flow_cb 2018-09-05 09:26:27 +02:00
can can: bcm: check timer values before ktime conversion 2019-01-31 08:13:46 +01:00
ceph libceph: check authorizer reply/challenge length before reading 2018-12-05 19:41:27 +01:00
core net: set default network namespace in init_dummy_netdev() 2019-02-06 17:31:32 +01:00
dcb net: dcb: For wild-card lookups, use priority -1, not 0 2018-09-19 22:43:43 +02:00
dccp inet: make sure to grab rcu_read_lock before using ireq->ireq_opt 2018-10-18 09:16:21 +02:00
decnet dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock 2018-02-25 11:07:52 +01:00
dns_resolver KEYS: DNS: fix parsing multiple options 2018-07-22 14:28:49 +02:00
dsa net: dsa: Do not suspend/resume closed slave_dev 2018-08-06 16:20:48 +02:00
ethernet
hsr net/hsr: Check skb_put_padto() return value 2017-08-22 13:40:23 -07:00
ieee802154 ieee802154: lowpan_header_create check must check daddr 2019-01-09 17:14:43 +01:00
ife net: sched: ife: check on metadata length 2018-04-29 11:33:13 +02:00
ipv4 Fix "net: ipv4: do not handle duplicate fragments as overlapping" 2019-02-06 17:31:31 +01:00
ipv6 ipv6: sr: clear IP6CB(skb) on SRH ip4ip6 encapsulation 2019-02-06 17:31:31 +01:00
ipx License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
iucv net/iucv: Free memory obtained by kzalloc 2018-03-31 18:10:41 +02:00
kcm kcm: Fix use-after-free caused by clonned sockets 2018-06-11 22:49:19 +02:00
key af_key: Always verify length of provided sadb_key 2018-06-16 09:45:14 +02:00
l2tp l2tp: fix reading optional fields of L2TPv3 2019-02-06 17:31:33 +01:00
l3mdev
lapb
llc llc: do not use sk_eat_skb() 2018-12-01 09:42:51 +01:00
mac80211 mac80211: free skb fraglist before freeing the skb 2019-01-13 10:01:01 +01:00
mac802154 net: mac802154: tx: expand tailroom if necessary 2018-09-09 19:55:52 +02:00
mpls mpls, nospec: Sanitize array index in mpls_label_ok() 2018-02-22 15:42:28 +01:00
ncsi net/ncsi: Fix length of GVI response packet 2017-10-21 01:56:38 +01:00
netfilter netfilter: nat: can't use dst_hold on noref dst 2019-01-13 10:00:58 +01:00
netlabel netlabel: check for IPV4MASK in addrinfo_get 2018-10-18 09:16:18 +02:00
netlink netlink: Don't shift on 64 for ngroups 2018-08-09 12:16:38 +02:00
netrom netrom: switch to sock timer API 2019-02-06 17:31:32 +01:00
nfc NFC: Fix possible memory corruption when handling SHDLC I-Frame commands 2018-09-29 03:06:01 -07:00
nsh nsh: set mac len based on inner packet 2018-07-22 14:28:49 +02:00
openvswitch openvswitch: Avoid OOB read when parsing flow nlattrs 2019-01-31 08:13:41 +01:00
packet packet: Do not leak dev refcounts on error exit 2019-01-23 08:09:47 +01:00
phonet License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
psample MAINTAINERS: Update Yotam's E-mail 2017-11-01 12:19:03 +09:00
qrtr net: qrtr: Broadcast messages only from control port 2018-08-24 13:09:13 +02:00
rds rds: rds_ib_recv_alloc_cache() should call alloc_percpu_gfp() instead 2018-10-13 09:27:29 +02:00
rfkill rfkill: gpio: fix memory leak in probe error path 2018-05-16 10:10:26 +02:00
rose net/rose: fix NULL ax25_cb kernel panic 2019-02-06 17:31:32 +01:00
rxrpc rxrpc: Fix connection-level abort handling 2018-11-04 14:52:46 +01:00
sched net_sched: refetch skb protocol for each filter 2019-01-31 08:13:41 +01:00
sctp sctp: improve the events for sctp stream reset 2019-02-06 17:31:33 +01:00
smc net/smc: fix TCP fallback socket release 2019-01-09 17:14:46 +01:00
strparser strparser: Remove early eaten to fix full tcp receive buffer stall 2018-07-22 14:28:47 +02:00
sunrpc sunrpc: handle ENOMEM in rpcb_getport_async 2019-01-23 08:09:50 +01:00
switchdev net: switchdev: Remove bridge bypass support from switchdev 2017-08-07 14:48:48 -07:00
tipc tipc: fix uninit-value in tipc_nl_compat_doit 2019-01-23 08:09:51 +01:00
tls net/tls: Fixed return value when tls_complete_pending_work() fails 2018-12-05 19:41:11 +01:00
unix License cleanup: add SPDX license identifiers to some files 2017-11-02 10:04:46 -07:00
vmw_vsock VSOCK: Send reset control packet when socket is partially bound 2019-01-09 17:14:45 +01:00
wimax License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
wireless cfg80211: fix use-after-free in reg_process_hint() 2018-11-04 14:52:40 +01:00
x25 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xfrm xfrm: Fix NULL pointer dereference in xfrm_input when skb_dst_force clears the dst_entry. 2019-01-13 10:00:57 +01:00
compat.c sock: Make sock->sk_stamp thread-safe 2019-01-09 17:14:46 +01:00
Kconfig net: Remove CONFIG_NETFILTER_DEBUG and _ASSERT() macros. 2017-09-04 13:25:20 +02:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
socket.c net: socket: fix a missing-check bug 2018-11-04 14:52:49 +01:00
sysctl_net.c