diff options
| author | Lorenzo Bianconi <lorenzo.bianconi@redhat.com> | 2018-01-16 23:01:55 +0100 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2018-01-19 15:00:49 -0500 |
| commit | 62e7b6a57c7b9bf3c6fd99418eeec05b08a85c38 (patch) | |
| tree | 670832c4df1db3f15d1b51de9875f4e4a5dd0428 /net/l2tp/l2tp_core.h | |
| parent | dfffc97d0e196c33452a6bce5a78e33786247d23 (diff) | |
| download | linux-62e7b6a57c7b9bf3c6fd99418eeec05b08a85c38.tar.bz2 | |
l2tp: remove l2specific_len dependency in l2tp_core
Remove l2specific_len dependency while building l2tpv3 header or
parsing the received frame since default L2-Specific Sublayer is
always four bytes long and we don't need to rely on a user supplied
value.
Moreover in l2tp netlink code there are no sanity checks to
enforce the relation between l2specific_len and l2specific_type,
so sending a malformed netlink message is possible to set
l2specific_type to L2TP_L2SPECTYPE_DEFAULT (or even
L2TP_L2SPECTYPE_NONE) and set l2specific_len to a value greater than
4 leaking memory on the wire and sending corrupted frames.
Reviewed-by: Guillaume Nault <g.nault@alphalink.fr>
Tested-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/l2tp/l2tp_core.h')
| -rw-r--r-- | net/l2tp/l2tp_core.h | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h index c2e9bbd79b35..7bef304de4f0 100644 --- a/net/l2tp/l2tp_core.h +++ b/net/l2tp/l2tp_core.h @@ -302,6 +302,17 @@ static inline void l2tp_session_dec_refcount(struct l2tp_session *session) l2tp_session_free(session); } +static inline int l2tp_get_l2specific_len(struct l2tp_session *session) +{ + switch (session->l2specific_type) { + case L2TP_L2SPECTYPE_DEFAULT: + return 4; + case L2TP_L2SPECTYPE_NONE: + default: + return 0; + } +} + #define l2tp_printk(ptr, type, func, fmt, ...) \ do { \ if (((ptr)->debug) & (type)) \ |