Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux

l2tp: copy 4 more bytes to linear part if necessary

The size of L2TPv2 header with all optional fields is 14 bytes.
l2tp_udp_recv_core only moves 10 bytes to the linear part of a
skb. This may lead to l2tp_recv_common read data outside of a skb.

This patch make sure that there is at least 14 bytes in the linear
part of a skb to meet the maximum need of l2tp_udp_recv_core and
l2tp_recv_common. The minimum size of both PPP HDLC-like frame and
Ethernet frame is larger than 14 bytes, so we are safe to do so.

Also remove L2TP_HDR_SIZE_NOSEQ, it is unused now.

Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Suggested-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Jacob Wen <jian.w.wen@oracle.com>
Acked-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Jacob Wen and committed by
David S. Miller
91c52470 3aa9179b

+2 -3
+2 -3
net/l2tp/l2tp_core.c
··· 83 83 #define L2TP_SLFLAG_S 0x40000000 84 84 #define L2TP_SL_SEQ_MASK 0x00ffffff 85 85 86 - #define L2TP_HDR_SIZE_SEQ 10 87 - #define L2TP_HDR_SIZE_NOSEQ 6 86 + #define L2TP_HDR_SIZE_MAX 14 88 87 89 88 /* Default trace flags */ 90 89 #define L2TP_DEFAULT_DEBUG_FLAGS 0 ··· 807 808 __skb_pull(skb, sizeof(struct udphdr)); 808 809 809 810 /* Short packet? */ 810 - if (!pskb_may_pull(skb, L2TP_HDR_SIZE_SEQ)) { 811 + if (!pskb_may_pull(skb, L2TP_HDR_SIZE_MAX)) { 811 812 l2tp_info(tunnel, L2TP_MSG_DATA, 812 813 "%s: recv short packet (len=%d)\n", 813 814 tunnel->name, skb->len);