From: Willy Tarreau Date: Mon, 29 Feb 2016 19:34:15 +0000 (+0100) Subject: l2tp: fix another panic in pppol2tp X-Git-Tag: v2.6.32.71~44 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e3dea3074f18a0c1dca8b6328b6bba0af3d61349;p=thirdparty%2Fkernel%2Fstable.git l2tp: fix another panic in pppol2tp Commit 3feec9095d1 ("l2tp: Fix oops in pppol2tp_xmit") was backported into 2.6.32.16 to fix a possible null deref in pppol2tp. But the same still exists in pppol2tp_sendmsg() possibly causing the same crash. Note that this bug doesn't appear to have any other impact than crashing the system, as the dereferenced pointer is only used to test a value against a 3-bit mask, so it can hardly be abused for anything except leaking one third of a bit of memory. This issue doesn't exist upstream because the code was replaced in 2.6.35 and the new function l2tp_xmit_skb() performs the appropriate check. Reported-by: Ben Hutchings Signed-off-by: Willy Tarreau --- diff --git a/drivers/net/pppol2tp.c b/drivers/net/pppol2tp.c index 4c8f019e7b9af..2295c134f590c 100644 --- a/drivers/net/pppol2tp.c +++ b/drivers/net/pppol2tp.c @@ -975,7 +975,8 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh /* Calculate UDP checksum if configured to do so */ if (sk_tun->sk_no_check == UDP_CSUM_NOXMIT) skb->ip_summed = CHECKSUM_NONE; - else if (!(skb_dst(skb)->dev->features & NETIF_F_V4_CSUM)) { + else if ((skb_dst(skb) && skb_dst(skb)->dev) && + (!(skb_dst(skb)->dev->features & NETIF_F_V4_CSUM))) { skb->ip_summed = CHECKSUM_COMPLETE; csum = skb_checksum(skb, 0, udp_len, 0); uh->check = csum_tcpudp_magic(inet->saddr, inet->daddr,