| Message ID | 20190726080321.4466-1-baijiaju1990@gmail.com |
|---|---|
| State | Rejected |
| Delegated to: | David Miller |
| Headers | show |
| Series | [1/2] net: ipv6: Fix a possible null-pointer dereference in ip6_xmit() | expand |
Le 26/07/2019 à 10:03, Jia-Ju Bai a écrit : > In vti6_link_config(), there is an if statement on line 649 to check > whether rt is NULL: > if (rt) > > When rt is NULL, it is used on line 651: > ip6_rt_put(rt); > dst_release(&rt->dst); > > Thus, a possible null-pointer dereference may occur. > > To fix this bug, ip6_rt_put() is called when rt is not NULL. > > This bug is found by a static analysis tool STCheck written by us. > > Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> > --- > net/ipv6/ip6_vti.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c > index 024db17386d2..572647205c52 100644 > --- a/net/ipv6/ip6_vti.c > +++ b/net/ipv6/ip6_vti.c > @@ -646,9 +646,10 @@ static void vti6_link_config(struct ip6_tnl *t, bool keep_mtu) > &p->raddr, &p->laddr, > p->link, NULL, strict); > > - if (rt) > + if (rt) { > tdev = rt->dst.dev; > - ip6_rt_put(rt); > + ip6_rt_put(rt); > + } Please, look at ip6_rt_put(), it is explicitly stated that it can be called with rt == NULL.
From: Jia-Ju Bai <baijiaju1990@gmail.com> Date: Fri, 26 Jul 2019 16:03:21 +0800 > @@ -646,9 +646,10 @@ static void vti6_link_config(struct ip6_tnl *t, bool keep_mtu) > &p->raddr, &p->laddr, > p->link, NULL, strict); > > - if (rt) > + if (rt) { > tdev = rt->dst.dev; > - ip6_rt_put(rt); > + ip6_rt_put(rt); > + } ip6_rt_put() can take a NULL argument without any problem. I want to make it clear that because of mistakes of this nature, and how frequently you make them, it is very tiring and exhausting to review your changes...
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c index 024db17386d2..572647205c52 100644 --- a/net/ipv6/ip6_vti.c +++ b/net/ipv6/ip6_vti.c @@ -646,9 +646,10 @@ static void vti6_link_config(struct ip6_tnl *t, bool keep_mtu) &p->raddr, &p->laddr, p->link, NULL, strict); - if (rt) + if (rt) { tdev = rt->dst.dev; - ip6_rt_put(rt); + ip6_rt_put(rt); + } } if (!tdev && p->link)
In vti6_link_config(), there is an if statement on line 649 to check whether rt is NULL: if (rt) When rt is NULL, it is used on line 651: ip6_rt_put(rt); dst_release(&rt->dst); Thus, a possible null-pointer dereference may occur. To fix this bug, ip6_rt_put() is called when rt is not NULL. This bug is found by a static analysis tool STCheck written by us. Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> --- net/ipv6/ip6_vti.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)