diff mbox series

net/l2tp: Fix reference count leak in l2tp_udp_recv_core

Message ID 1631161930-77772-1-git-send-email-xiyuyang19@fudan.edu.cn (mailing list archive)
State Accepted
Commit 9b6ff7eb666415e1558f1ba8a742f5db6a9954de
Delegated to: Netdev Maintainers
Headers show
Series net/l2tp: Fix reference count leak in l2tp_udp_recv_core | expand

Checks

Context Check Description
netdev/cover_letter success Link
netdev/fixes_present success Link
netdev/patch_count success Link
netdev/tree_selection success Guessed tree name to be net-next
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cc_maintainers success CCed 10 of 10 maintainers
netdev/source_inline success Was 0 now: 0
netdev/verify_signedoff success Link
netdev/module_param success Was 0 now: 0
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/verify_fixes success Link
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 11 lines checked
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/header_inline success Link

Commit Message

Xiyu Yang Sept. 9, 2021, 4:32 a.m. UTC
The reference count leak issue may take place in an error handling
path. If both conditions of tunnel->version == L2TP_HDR_VER_3 and the
return value of l2tp_v3_ensure_opt_in_linear is nonzero, the function
would directly jump to label invalid, without decrementing the reference
count of the l2tp_session object session increased earlier by
l2tp_tunnel_get_session(). This may result in refcount leaks.

Fix this issue by decrease the reference count before jumping to the
label invalid.

Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
---
 net/l2tp/l2tp_core.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Tom Parkin Sept. 9, 2021, 9:01 a.m. UTC | #1
On  Thu, Sep 09, 2021 at 12:32:00 +0800, Xiyu Yang wrote:
> The reference count leak issue may take place in an error handling
> path. If both conditions of tunnel->version == L2TP_HDR_VER_3 and the
> return value of l2tp_v3_ensure_opt_in_linear is nonzero, the function
> would directly jump to label invalid, without decrementing the reference
> count of the l2tp_session object session increased earlier by
> l2tp_tunnel_get_session(). This may result in refcount leaks.

I agree with your analysis.  Thanks for catching this!

> 
> Fix this issue by decrease the reference count before jumping to the
> label invalid.
> 
> Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
> Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
> Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
> ---
>  net/l2tp/l2tp_core.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
> index 53486b162f01..93271a2632b8 100644
> --- a/net/l2tp/l2tp_core.c
> +++ b/net/l2tp/l2tp_core.c
> @@ -869,8 +869,10 @@ static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb)
>  	}
>  
>  	if (tunnel->version == L2TP_HDR_VER_3 &&
> -	    l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr))
> +	    l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) {
> +		l2tp_session_dec_refcount(session);
>  		goto invalid;
> +	}

The error paths in l2tp_udp_recv_core are a bit convoluted because of
the check (!session || !session->recv_skb) which may or may not need
to drop a session reference if triggered.

I think it could be simplified since session->recv_skb is always set
for all the current session types in the tree, but doing that is probably
a little patch series on its own.

>  
>  	l2tp_recv_common(session, skb, ptr, optr, hdrflags, length);
>  	l2tp_session_dec_refcount(session);
> -- 
> 2.7.4
>
Tom Parkin Sept. 9, 2021, 9:10 a.m. UTC | #2
On  Thu, Sep 09, 2021 at 10:01:56 +0100, Tom Parkin wrote:
> On  Thu, Sep 09, 2021 at 12:32:00 +0800, Xiyu Yang wrote:
> > The reference count leak issue may take place in an error handling
> > path. If both conditions of tunnel->version == L2TP_HDR_VER_3 and the
> > return value of l2tp_v3_ensure_opt_in_linear is nonzero, the function
> > would directly jump to label invalid, without decrementing the reference
> > count of the l2tp_session object session increased earlier by
> > l2tp_tunnel_get_session(). This may result in refcount leaks.
> 
> I agree with your analysis.  Thanks for catching this!
> 

Also: I forgot to mention I think this fixes:

4522a70db7aa ("l2tp: fix reading optional fields of L2TPv3")

> > 
> > Fix this issue by decrease the reference count before jumping to the
> > label invalid.
> > 
> > Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
> > Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
> > Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
> > ---
> >  net/l2tp/l2tp_core.c | 4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> > 
> > diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
> > index 53486b162f01..93271a2632b8 100644
> > --- a/net/l2tp/l2tp_core.c
> > +++ b/net/l2tp/l2tp_core.c
> > @@ -869,8 +869,10 @@ static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb)
> >  	}
> >  
> >  	if (tunnel->version == L2TP_HDR_VER_3 &&
> > -	    l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr))
> > +	    l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) {
> > +		l2tp_session_dec_refcount(session);
> >  		goto invalid;
> > +	}
> 
> The error paths in l2tp_udp_recv_core are a bit convoluted because of
> the check (!session || !session->recv_skb) which may or may not need
> to drop a session reference if triggered.
> 
> I think it could be simplified since session->recv_skb is always set
> for all the current session types in the tree, but doing that is probably
> a little patch series on its own.
> 
> >  
> >  	l2tp_recv_common(session, skb, ptr, optr, hdrflags, length);
> >  	l2tp_session_dec_refcount(session);
> > -- 
> > 2.7.4
> > 
> 
> -- 
> Tom Parkin
> Katalix Systems Ltd
> https://katalix.com
> Catalysts for your Embedded Linux software development
patchwork-bot+netdevbpf@kernel.org Sept. 9, 2021, 10:10 a.m. UTC | #3
Hello:

This patch was applied to netdev/net.git (refs/heads/master):

On Thu,  9 Sep 2021 12:32:00 +0800 you wrote:
> The reference count leak issue may take place in an error handling
> path. If both conditions of tunnel->version == L2TP_HDR_VER_3 and the
> return value of l2tp_v3_ensure_opt_in_linear is nonzero, the function
> would directly jump to label invalid, without decrementing the reference
> count of the l2tp_session object session increased earlier by
> l2tp_tunnel_get_session(). This may result in refcount leaks.
> 
> [...]

Here is the summary with links:
  - net/l2tp: Fix reference count leak in l2tp_udp_recv_core
    https://git.kernel.org/netdev/net/c/9b6ff7eb6664

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
diff mbox series

Patch

diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 53486b162f01..93271a2632b8 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -869,8 +869,10 @@  static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb)
 	}
 
 	if (tunnel->version == L2TP_HDR_VER_3 &&
-	    l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr))
+	    l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) {
+		l2tp_session_dec_refcount(session);
 		goto invalid;
+	}
 
 	l2tp_recv_common(session, skb, ptr, optr, hdrflags, length);
 	l2tp_session_dec_refcount(session);