evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ipv4: ipmr: fix NULL pointer deref during unres queue destruction

Browse source 
Fix an oversight in ipmr_destroy_unres() - the net pointer is
unconditionally initialized to NULL, resulting in a NULL pointer
dereference later on.

Fix by adding a net pointer to struct mr_table and using it in
ipmr_destroy_unres().

Signed-off-by: Patrick McHardy <kaber@trash.net>
This commit is contained in:
Patrick McHardy 2010-04-15 13:29:28 +02:00
parent b0ebb739a8
commit 8de53dfbf9
1 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
net/ipv4/ipmr.c
View file

@ -71,6 +71,9 @@
struct mr_table { struct mr_table {
struct list_head list; struct list_head list;
#ifdef CONFIG_NET_NS
struct net *net;
#endif
u32 id; u32 id;
struct sock *mroute_sk; struct sock *mroute_sk;
struct timer_list ipmr_expire_timer; struct timer_list ipmr_expire_timer;
@ -308,6 +311,7 @@ static struct mr_table *ipmr_new_table(struct net *net, u32 id)
mrt = kzalloc(sizeof(*mrt), GFP_KERNEL); mrt = kzalloc(sizeof(*mrt), GFP_KERNEL);
if (mrt == NULL) if (mrt == NULL)
return NULL; return NULL;
write_pnet(&mrt->net, net);
mrt->id = id; mrt->id = id;
/* Forwarding cache */ /* Forwarding cache */
@ -580,7 +584,7 @@ static inline void ipmr_cache_free(struct mfc_cache *c)
static void ipmr_destroy_unres(struct mr_table *mrt, struct mfc_cache *c) static void ipmr_destroy_unres(struct mr_table *mrt, struct mfc_cache *c)
{ {
struct net *net = NULL; //mrt->net; struct net *net = read_pnet(&mrt->net);
struct sk_buff *skb; struct sk_buff *skb;
struct nlmsgerr *e; struct nlmsgerr *e;