diff options
| author | Lorenzo Bianconi <lorenzo.bianconi@redhat.com> | 2018-01-16 23:01:55 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-02-06 17:31:33 +0100 |
| commit | a12098dd9f84ad7d94f2e4a36c2f73bb9eaa985c (patch) | |
| tree | 31c6e2acb841d992169e39dd5b4a095e1bd693cc /net/ipv4/proc.c | |
| parent | 556e554a3b7478dba08585b5393384c973f36408 (diff) | |
| download | linux-rpi3-a12098dd9f84ad7d94f2e4a36c2f73bb9eaa985c.tar.gz linux-rpi3-a12098dd9f84ad7d94f2e4a36c2f73bb9eaa985c.tar.bz2 linux-rpi3-a12098dd9f84ad7d94f2e4a36c2f73bb9eaa985c.zip | |
l2tp: remove l2specific_len dependency in l2tp_core
commit 62e7b6a57c7b9bf3c6fd99418eeec05b08a85c38 upstream.
Remove l2specific_len dependency while building l2tpv3 header or
parsing the received frame since default L2-Specific Sublayer is
always four bytes long and we don't need to rely on a user supplied
value.
Moreover in l2tp netlink code there are no sanity checks to
enforce the relation between l2specific_len and l2specific_type,
so sending a malformed netlink message is possible to set
l2specific_type to L2TP_L2SPECTYPE_DEFAULT (or even
L2TP_L2SPECTYPE_NONE) and set l2specific_len to a value greater than
4 leaking memory on the wire and sending corrupted frames.
Reviewed-by: Guillaume Nault <g.nault@alphalink.fr>
Tested-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net/ipv4/proc.c')
0 files changed, 0 insertions, 0 deletions