• J
    l2tp: fix oops in L2TP IP sockets for connect() AF_UNSPEC case · c51ce497
    James Chapman 提交于
    An application may call connect() to disconnect a socket using an
    address with family AF_UNSPEC. The L2TP IP sockets were not handling
    this case when the socket is not bound and an attempt to connect()
    using AF_UNSPEC in such cases would result in an oops. This patch
    addresses the problem by protecting the sk_prot->disconnect() call
    against trying to unhash the socket before it is bound.
    
    The L2TP IPv4 and IPv6 sockets have the same problem. Both are fixed
    by this patch.
    
    The patch also adds more checks that the sockaddr supplied to bind()
    and connect() calls is valid.
    
     RIP: 0010:[<ffffffff82e133b0>]  [<ffffffff82e133b0>] inet_unhash+0x50/0xd0
     RSP: 0018:ffff88001989be28  EFLAGS: 00010293
     Stack:
      ffff8800407a8000 0000000000000000 ffff88001989be78 ffffffff82e3a249
      ffffffff82e3a050 ffff88001989bec8 ffff88001989be88 ffff8800407a8000
      0000000000000010 ffff88001989bec8 ffff88001989bea8 ffffffff82e42639
     Call Trace:
     [<ffffffff82e3a249>] udp_disconnect+0x1f9/0x290
     [<ffffffff82e42639>] inet_dgram_connect+0x29/0x80
     [<ffffffff82d012fc>] sys_connect+0x9c/0x100
    Reported-by: NSasha Levin <levinsasha928@gmail.com>
    Signed-off-by: NJames Chapman <jchapman@katalix.com>
    Signed-off-by: NDavid S. Miller <davem@davemloft.net>
    c51ce497
l2tp_ip.c 15.7 KB