summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuillaume Nault <g.nault@alphalink.fr>2016-11-29 13:09:45 +0100
committerDavid S. Miller <davem@davemloft.net>2016-11-30 14:14:07 -0500
commita3c18422a4b4e108bcf6a2328f48867e1003fd95 (patch)
treeeeca3ead29ffaf135c31d9a11b29b082766b22cc
parent0382a25af3c771a8e4d5e417d1834cbe28c2aaac (diff)
downloadlinux-a3c18422a4b4e108bcf6a2328f48867e1003fd95.tar.gz
linux-a3c18422a4b4e108bcf6a2328f48867e1003fd95.tar.bz2
linux-a3c18422a4b4e108bcf6a2328f48867e1003fd95.zip
l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()
Socket must be held while under the protection of the l2tp lock; there is no guarantee that sk remains valid after the read_unlock_bh() call. Same issue for l2tp_ip and l2tp_ip6. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/l2tp/l2tp_ip.c11
-rw-r--r--net/l2tp/l2tp_ip6.c11
2 files changed, 12 insertions, 10 deletions
diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index 1f57094d3111..4d1c942cc91b 100644
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -183,14 +183,15 @@ pass_up:
read_lock_bh(&l2tp_ip_lock);
sk = __l2tp_ip_bind_lookup(net, iph->daddr, 0, tunnel_id);
+ if (!sk) {
+ read_unlock_bh(&l2tp_ip_lock);
+ goto discard;
+ }
+
+ sock_hold(sk);
read_unlock_bh(&l2tp_ip_lock);
}
- if (sk == NULL)
- goto discard;
-
- sock_hold(sk);
-
if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
goto discard_put;
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index af9abfff637c..e3fc7786f188 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -198,14 +198,15 @@ pass_up:
read_lock_bh(&l2tp_ip6_lock);
sk = __l2tp_ip6_bind_lookup(net, &iph->daddr,
0, tunnel_id);
+ if (!sk) {
+ read_unlock_bh(&l2tp_ip6_lock);
+ goto discard;
+ }
+
+ sock_hold(sk);
read_unlock_bh(&l2tp_ip6_lock);
}
- if (sk == NULL)
- goto discard;
-
- sock_hold(sk);
-
if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
goto discard_put;