CVE-2014-4943 pppol2tp level handling (rhbz 1119458 1120542)
This commit is contained in:
parent
24c69d188a
commit
e5285152d8
|
@ -762,6 +762,9 @@ Patch25109: revert-input-wacom-testing-result-shows-get_report-is-unnecessary.pa
|
|||
Patch25110: 0001-ideapad-laptop-Blacklist-rfkill-control-on-the-Lenov.patch
|
||||
Patch25111: 0002-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch
|
||||
|
||||
#CVE-2014-4943 rhbz 1119458 1120542
|
||||
Patch25115: net-l2tp-don-t-fall-back-on-UDP-get-set-sockopt.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1467,6 +1470,9 @@ ApplyPatch revert-input-wacom-testing-result-shows-get_report-is-unnecessary.pat
|
|||
ApplyPatch 0001-ideapad-laptop-Blacklist-rfkill-control-on-the-Lenov.patch
|
||||
ApplyPatch 0002-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch
|
||||
|
||||
#CVE-2014-4943 rhbz 1119458 1120542
|
||||
ApplyPatch net-l2tp-don-t-fall-back-on-UDP-get-set-sockopt.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2279,6 +2285,9 @@ fi
|
|||
# and build.
|
||||
|
||||
%changelog
|
||||
* Thu Jul 17 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2014-4943 pppol2tp level handling (rhbz 1119458 1120542)
|
||||
|
||||
* Mon Jul 14 2014 Josh Boyer <jwboyer@fedoraproject.rog> - 3.14.12-100
|
||||
- Linux v3.14.12
|
||||
|
||||
|
|
|
@ -0,0 +1,57 @@
|
|||
Bugzilla: 1120542
|
||||
Upstream-status: 3.16 and CC'd to stable
|
||||
|
||||
From 3cf521f7dc87c031617fd47e4b7aa2593c2f3daf Mon Sep 17 00:00:00 2001
|
||||
From: Sasha Levin <sasha.levin@oracle.com>
|
||||
Date: Mon, 14 Jul 2014 17:02:31 -0700
|
||||
Subject: [PATCH] net/l2tp: don't fall back on UDP [get|set]sockopt
|
||||
|
||||
The l2tp [get|set]sockopt() code has fallen back to the UDP functions
|
||||
for socket option levels != SOL_PPPOL2TP since day one, but that has
|
||||
never actually worked, since the l2tp socket isn't an inet socket.
|
||||
|
||||
As David Miller points out:
|
||||
|
||||
"If we wanted this to work, it'd have to look up the tunnel and then
|
||||
use tunnel->sk, but I wonder how useful that would be"
|
||||
|
||||
Since this can never have worked so nobody could possibly have depended
|
||||
on that functionality, just remove the broken code and return -EINVAL.
|
||||
|
||||
Reported-by: Sasha Levin <sasha.levin@oracle.com>
|
||||
Acked-by: James Chapman <jchapman@katalix.com>
|
||||
Acked-by: David Miller <davem@davemloft.net>
|
||||
Cc: Phil Turnbull <phil.turnbull@oracle.com>
|
||||
Cc: Vegard Nossum <vegard.nossum@oracle.com>
|
||||
Cc: Willy Tarreau <w@1wt.eu>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
net/l2tp/l2tp_ppp.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
|
||||
index 950909f04ee6..13752d96275e 100644
|
||||
--- a/net/l2tp/l2tp_ppp.c
|
||||
+++ b/net/l2tp/l2tp_ppp.c
|
||||
@@ -1365,7 +1365,7 @@ static int pppol2tp_setsockopt(struct socket *sock, int level, int optname,
|
||||
int err;
|
||||
|
||||
if (level != SOL_PPPOL2TP)
|
||||
- return udp_prot.setsockopt(sk, level, optname, optval, optlen);
|
||||
+ return -EINVAL;
|
||||
|
||||
if (optlen < sizeof(int))
|
||||
return -EINVAL;
|
||||
@@ -1491,7 +1491,7 @@ static int pppol2tp_getsockopt(struct socket *sock, int level, int optname,
|
||||
struct pppol2tp_session *ps;
|
||||
|
||||
if (level != SOL_PPPOL2TP)
|
||||
- return udp_prot.getsockopt(sk, level, optname, optval, optlen);
|
||||
+ return -EINVAL;
|
||||
|
||||
if (get_user(len, optlen))
|
||||
return -EFAULT;
|
||||
--
|
||||
1.9.3
|
||||
|
Loading…
Reference in New Issue