diff options
| author | James Chapman <[email protected]> | 2024-08-07 07:54:47 +0100 |
|---|---|---|
| committer | David S. Miller <[email protected]> | 2024-08-11 04:38:49 +0100 |
| commit | b0a8deda060d51ebe4614ed6e1829d933139ba1a (patch) | |
| tree | fdc52e53af19e502c25405dfdffdfe7605086f7c | |
| parent | ebed6606b95954b94df6229db806978b32f3fa23 (diff) | |
l2tp: handle hash key collisions in l2tp_v3_session_get
To handle colliding l2tpv3 session IDs, l2tp_v3_session_get searches a
hashed list keyed by ID and sk. Although unlikely, if hash keys
collide, it is possible that hash_for_each_possible loops over a
session which doesn't have the ID that we are searching for. So check
for session ID match when looping over possible hash key matches.
Signed-off-by: James Chapman <[email protected]>
Signed-off-by: Tom Parkin <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
| -rw-r--r-- | net/l2tp/l2tp_core.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c index 70c231fcaa2e..3b34e549fb79 100644 --- a/net/l2tp/l2tp_core.c +++ b/net/l2tp/l2tp_core.c @@ -291,7 +291,8 @@ struct l2tp_session *l2tp_v3_session_get(const struct net *net, struct sock *sk, */ struct l2tp_tunnel *tunnel = READ_ONCE(session->tunnel); - if (tunnel && tunnel->sock == sk && + if (session->session_id == session_id && + tunnel && tunnel->sock == sk && refcount_inc_not_zero(&session->ref_count)) { rcu_read_unlock_bh(); return session; |