• Guillaume Nault's avatar
    l2tp: prevent creation of sessions on terminated tunnels · f3c66d4e
    Guillaume Nault authored
    l2tp_tunnel_destruct() sets tunnel->sock to NULL, then removes the
    tunnel from the pernet list and finally closes all its sessions.
    Therefore, it's possible to add a session to a tunnel that is still
    reachable, but for which tunnel->sock has already been reset. This can
    make l2tp_session_create() dereference a NULL pointer when calling
    sock_hold(tunnel->sock).
    
    This patch adds the .acpt_newsess field to struct l2tp_tunnel, which is
    used by l2tp_tunnel_closeall() to prevent addition of new sessions to
    tunnels. Resetting tunnel->sock is done after l2tp_tunnel_closeall()
    returned, so that l2tp_session_add_to_tunnel() can safely take a
    reference on it when .acpt_newsess is true.
    
    The .acpt_newsess field is modified in l2tp_tunnel_closeall(), rather
    than in l2tp_tunnel_destruct(), so that it benefits all tunnel removal
    mechanisms. E.g. on UDP tunnels, a session could be added to a tunnel
    after l2tp_udp_encap_destroy() proceeded. This would prevent the tunnel
    from being removed because of the references held by this new session
    on the tunnel and its socket. Even though the session could be removed
    manually later on, this defeats the purpose of
    commit 9980d001 ("l2tp: add udp encap socket destroy handler").
    
    Fixes: fd558d18 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
    Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    f3c66d4e
l2tp_core.c 51.4 KB