Commit b0a8deda authored by James Chapman's avatar James Chapman Committed by David S. Miller
Browse files

l2tp: handle hash key collisions in l2tp_v3_session_get 



To handle colliding l2tpv3 session IDs, l2tp_v3_session_get searches a
hashed list keyed by ID and sk. Although unlikely, if hash keys
collide, it is possible that hash_for_each_possible loops over a
session which doesn't have the ID that we are searching for. So check
for session ID match when looping over possible hash key matches.

Signed-off-by: default avatarJames Chapman <jchapman@katalix.com>
Signed-off-by: default avatarTom Parkin <tparkin@katalix.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent ebed6606

net/l2tp/l2tp_core.c

+2 −1
Original line number Diff line number Diff line
@@ -291,7 +291,8 @@ struct l2tp_session *l2tp_v3_session_get(const struct net *net, struct sock *sk, 
			 */

			struct l2tp_tunnel *tunnel = READ_ONCE(session->tunnel);



			if (tunnel && tunnel->sock == sk &&

			if (session->session_id == session_id &&

			    tunnel && tunnel->sock == sk &&

			    refcount_inc_not_zero(&session->ref_count)) {

				rcu_read_unlock_bh();

				return session;