From: Alexis Dambricourt <alexis.dambricourt@gmail.com>
Date: Mon, 4 Jan 2016 23:26:07 +0000 (+0100)
Subject: l2tpv3: fix cookie decoding
X-Git-Tag: v2.6.0-rc0~234^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3be9b3528debd985b7a84ace0626cacf5ffe5ec4;p=thirdparty%2Fqemu.git

l2tpv3: fix cookie decoding

If a 32 bits l2tpv3 frame cookie MSB if set to 1, the cast to uint64_t
cookie will spread 1 to the four most significant bytes.
Then the condition (cookie != s->rx_cookie) becomes false.

Signed-off-by: Alexis Dambricourt <alexis.dambricourt@gmail.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---

diff --git a/net/l2tpv3.c b/net/l2tpv3.c
index 8e68e540ece..21d6119ed40 100644
--- a/net/l2tpv3.c
+++ b/net/l2tpv3.c
@@ -325,7 +325,7 @@ static int l2tpv3_verify_header(NetL2TPV3State *s, uint8_t *buf)
         if (s->cookie_is_64) {
             cookie = ldq_be_p(buf + s->cookie_offset);
         } else {
-            cookie = ldl_be_p(buf + s->cookie_offset);
+            cookie = ldl_be_p(buf + s->cookie_offset) & 0xffffffffULL;
         }
         if (cookie != s->rx_cookie) {
             if (!s->header_mismatch) {