l2tp: add missing state verification on message reception

Verify tunnel or session states before handling HELLO, StopCCN and CDN
messages.

Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>

1 files changed, 18 insertions, 0 deletions

diff --git a/accel-pppd/ctrl/l2tp/l2tp.c b/accel-pppd/ctrl/l2tp/l2tp.c
index a63b0a0..10e7290 100644
--- a/accel-pppd/ctrl/l2tp/l2tp.c
+++ b/accel-pppd/ctrl/l2tp/l2tp.c
@@ -2666,6 +2666,12 @@ static int l2tp_recv_StopCCN(struct l2tp_conn_t *conn,
 	uint16_t res = 0;
 	uint16_t err = 0;
 
+	if (conn->state == STATE_CLOSE) {
+		log_tunnel(log_warn, conn, "discarding unexpected StopCCN\n");
+
+		return 0;
+	}
+
 	log_tunnel(log_info2, conn, "handling StopCCN\n");
 
 	list_for_each_entry(attr, &pack->attrs, entry) {
@@ -2732,6 +2738,12 @@ static int l2tp_recv_StopCCN(struct l2tp_conn_t *conn,
 static int l2tp_recv_HELLO(struct l2tp_conn_t *conn,
 			   const struct l2tp_packet_t *pack)
 {
+	if (conn->state != STATE_ESTB) {
+		log_tunnel(log_warn, conn, "discarding unexpected HELLO\n");
+
+		return 0;
+	}
+
 	log_tunnel(log_debug, conn, "handling HELLO\n");
 
 	if (l2tp_send_ZLB(conn) < 0) {
@@ -3334,6 +3346,12 @@ static int l2tp_recv_CDN(struct l2tp_sess_t *sess,
 	uint16_t res = 0;
 	uint16_t err = 0;
 
+	if (sess->state1 == STATE_CLOSE) {
+		log_session(log_warn, sess, "discarding unexpected CDN\n");
+
+		return 0;
+	}
+
 	log_session(log_info2, sess, "handling CDN\n");
 
 	list_for_each_entry(attr, &pack->attrs, entry) {