From: Alexis Dambricourt <alexis.dambrico...@gmail.com>
If a 32 bits l2tpv3 frame cookie MSB if set to 1, the cast to uint64_t
cookie will spread 1 to the four most significant bytes.
Then the condition (cookie != s->rx_cookie) becomes false.
Signed-off-by: Alexis Dambricourt <alexis.dambrico...@gmail.com>
Signed-off-by: Jason Wang <jasow...@redhat.com>
---
net/l2tpv3.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/l2tpv3.c b/net/l2tpv3.c
index 8e68e54..21d6119 100644
--- a/net/l2tpv3.c
+++ b/net/l2tpv3.c
@@ -325,7 +325,7 @@ static int l2tpv3_verify_header(NetL2TPV3State *s, uint8_t
*buf)
if (s->cookie_is_64) {
cookie = ldq_be_p(buf + s->cookie_offset);
} else {
- cookie = ldl_be_p(buf + s->cookie_offset);
+ cookie = ldl_be_p(buf + s->cookie_offset) & 0xffffffffULL;
}
if (cookie != s->rx_cookie) {
if (!s->header_mismatch) {
--
2.5.0
