From patchwork Fri Jun 15 13:39:19 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Guillaume Nault <g.nault@alphalink.fr>
X-Patchwork-Id: 929946
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=alphalink.fr
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 416hRh6sP5z9s3C
	for <patchwork-incoming-netdev@ozlabs.org>;
	Fri, 15 Jun 2018 23:39:28 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S936298AbeFONjZ (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Fri, 15 Jun 2018 09:39:25 -0400
Received: from zimbra.alphalink.fr ([217.15.80.77]:43966 "EHLO
	zimbra.alphalink.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S936144AbeFONjW (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 15 Jun 2018 09:39:22 -0400
Received: from localhost (localhost [127.0.0.1])
	by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id
	0684E2B520AE; Fri, 15 Jun 2018 15:39:21 +0200 (CEST)
Received: from zimbra.alphalink.fr ([127.0.0.1])
	by localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1])
	(amavisd-new, port 10032)
	with ESMTP id Z0sgFSUiwk0R; Fri, 15 Jun 2018 15:39:19 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id
	C93022B520B9; Fri, 15 Jun 2018 15:39:19 +0200 (CEST)
X-Virus-Scanned: amavisd-new at mail-2-cbv2.admin.alphalink.fr
Received: from zimbra.alphalink.fr ([127.0.0.1])
	by localhost (mail-2-cbv2.admin.alphalink.fr [127.0.0.1])
	(amavisd-new, port 10026)
	with ESMTP id NW8AQ7-ceY9D; Fri, 15 Jun 2018 15:39:19 +0200 (CEST)
Received: from c-dev-0.admin.alphalink.fr (94-84-15-217.reverse.alphalink.fr
	[217.15.84.94])
	by mail-2-cbv2.admin.alphalink.fr (Postfix) with ESMTP id
	9D44E2B520AE; Fri, 15 Jun 2018 15:39:19 +0200 (CEST)
Received: by c-dev-0.admin.alphalink.fr (Postfix, from userid 1000)
	id 72A40600AD; Fri, 15 Jun 2018 15:39:19 +0200 (CEST)
Date: Fri, 15 Jun 2018 15:39:19 +0200
From: Guillaume Nault <g.nault@alphalink.fr>
To: netdev@vger.kernel.org
Cc: James Chapman <jchapman@katalix.com>
Subject: [PATCH net 2/2] l2tp: filter out non-PPP sessions in
	pppol2tp_tunnel_ioctl()
Message-ID: 
 <6d523b6a290ac01939c29e7e4e0ec9b96c9c9d8f.1529065935.git.g.nault@alphalink.fr>
References: <cover.1529065935.git.g.nault@alphalink.fr>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1529065935.git.g.nault@alphalink.fr>
X-Mutt-Fcc: =Sent
User-Agent: Mutt/1.10.0 (2018-05-17)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

pppol2tp_tunnel_ioctl() can act on an L2TPv3 tunnel, in which case
'session' may be an Ethernet pseudo-wire.

However, pppol2tp_session_ioctl() expects a PPP pseudo-wire, as it
assumes l2tp_session_priv() points to a pppol2tp_session structure. For
an Ethernet pseudo-wire l2tp_session_priv() points to an l2tp_eth_sess
structure instead, making pppol2tp_session_ioctl() access invalid
memory.

Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
---
 net/l2tp/l2tp_ppp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index f429fed06a1e..55188382845c 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -1201,7 +1201,7 @@ static int pppol2tp_tunnel_ioctl(struct l2tp_tunnel *tunnel,
 				l2tp_session_get(sock_net(sk), tunnel,
 						 stats.session_id);
 
-			if (session) {
+			if (session && session->pwtype == L2TP_PWTYPE_PPP) {
 				err = pppol2tp_session_ioctl(session, cmd,
 							     arg);
 				l2tp_session_dec_refcount(session);