l2tp: lock socket before checking flags in connect()

commit 0382a25af3c771a8e4d5e417d1834cbe28c2aaac upstream.

Socket flags aren't updated atomically, so the socket must be locked
while reading the SOCK_ZAPPED flag.

This issue exists for both l2tp_ip and l2tp_ip6. For IPv6, this patch
also brings error handling for __ip6_datagram_connect() failures.

Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Giuliano Procida <gprocida@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index 6258264a0bf73d76a7a63832c669d85c611b88a4..94880f07bc0620aaa88f04d28f73beca3f95199c 100644 (file)
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -915,6 +915,8 @@ int compat_ipv6_setsockopt(struct sock *sk, int level, int optname,
 int compat_ipv6_getsockopt(struct sock *sk, int level, int optname,
                           char __user *optval, int __user *optlen);
 
+int __ip6_datagram_connect(struct sock *sk, struct sockaddr *addr,
+                          int addr_len);
 int ip6_datagram_connect(struct sock *sk, struct sockaddr *addr, int addr_len);
 int ip6_datagram_connect_v6_only(struct sock *sk, struct sockaddr *addr,
                                 int addr_len);

diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index f33154365b643c425ab6131aed9c680f64a4d9d7..389b6367a81084ec27a4f9df5f38cc85f90a362c 100644 (file)
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -40,7 +40,8 @@ static bool ipv6_mapped_addr_any(const struct in6_addr *a)
        return ipv6_addr_v4mapped(a) && (a->s6_addr32[3] == 0);
 }
 
-static int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr,
+                          int addr_len)
 {
        struct sockaddr_in6     *usin = (struct sockaddr_in6 *) uaddr;
        struct inet_sock        *inet = inet_sk(sk);
@@ -213,6 +214,7 @@ static int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int a
        fl6_sock_release(flowlabel);
        return err;
 }
+EXPORT_SYMBOL_GPL(__ip6_datagram_connect);
 
 int ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
 {

diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index 58f87bdd12c756d0ce4e722d4a9f5705f0d412ab..fab122cc6aac482787de4025f894040aba7993cb 100644 (file)
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -321,21 +321,24 @@ static int l2tp_ip_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len
        struct sockaddr_l2tpip *lsa = (struct sockaddr_l2tpip *) uaddr;
        int rc;
 
-       if (sock_flag(sk, SOCK_ZAPPED)) /* Must bind first - autobinding does not work */
-               return -EINVAL;
-
        if (addr_len < sizeof(*lsa))
                return -EINVAL;
 
        if (ipv4_is_multicast(lsa->l2tp_addr.s_addr))
                return -EINVAL;
 
-       rc = ip4_datagram_connect(sk, uaddr, addr_len);
-       if (rc < 0)
-               return rc;
-
        lock_sock(sk);
 
+       /* Must bind first - autobinding does not work */
+       if (sock_flag(sk, SOCK_ZAPPED)) {
+               rc = -EINVAL;
+               goto out_sk;
+       }
+
+       rc = __ip4_datagram_connect(sk, uaddr, addr_len);
+       if (rc < 0)
+               goto out_sk;
+
        l2tp_ip_sk(sk)->peer_conn_id = lsa->l2tp_conn_id;
 
        write_lock_bh(&l2tp_ip_lock);
@@ -343,7 +346,9 @@ static int l2tp_ip_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len
        sk_add_bind_node(sk, &l2tp_ip_bind_table);
        write_unlock_bh(&l2tp_ip_lock);
 
+out_sk:
        release_sock(sk);
+
        return rc;
 }
 

diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index 2b5230ef8536a0d6f4f6b7dce7b09f5ec43d979f..59e609f2db6414566633ef5935b1203b0029d324 100644 (file)
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -383,9 +383,6 @@ static int l2tp_ip6_connect(struct sock *sk, struct sockaddr *uaddr,
        int     addr_type;
        int rc;
 
-       if (sock_flag(sk, SOCK_ZAPPED)) /* Must bind first - autobinding does not work */
-               return -EINVAL;
-
        if (addr_len < sizeof(*lsa))
                return -EINVAL;
 
@@ -402,10 +399,18 @@ static int l2tp_ip6_connect(struct sock *sk, struct sockaddr *uaddr,
                        return -EINVAL;
        }
 
-       rc = ip6_datagram_connect(sk, uaddr, addr_len);
-
        lock_sock(sk);
 
+        /* Must bind first - autobinding does not work */
+       if (sock_flag(sk, SOCK_ZAPPED)) {
+               rc = -EINVAL;
+               goto out_sk;
+       }
+
+       rc = __ip6_datagram_connect(sk, uaddr, addr_len);
+       if (rc < 0)
+               goto out_sk;
+
        l2tp_ip6_sk(sk)->peer_conn_id = lsa->l2tp_conn_id;
 
        write_lock_bh(&l2tp_ip6_lock);
@@ -413,6 +418,7 @@ static int l2tp_ip6_connect(struct sock *sk, struct sockaddr *uaddr,
        sk_add_bind_node(sk, &l2tp_ip6_bind_table);
        write_unlock_bh(&l2tp_ip6_lock);
 
+out_sk:
        release_sock(sk);
 
        return rc;