From patchwork Fri Jan 8 05:46:10 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Baozeng Ding X-Patchwork-Id: 564616 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 927541402B4 for ; Fri, 8 Jan 2016 16:46:47 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b=jHmWg4Xd; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750797AbcAHFqS (ORCPT ); Fri, 8 Jan 2016 00:46:18 -0500 Received: from mail-pf0-f180.google.com ([209.85.192.180]:34337 "EHLO mail-pf0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750766AbcAHFqR (ORCPT ); Fri, 8 Jan 2016 00:46:17 -0500 Received: by mail-pf0-f180.google.com with SMTP id q63so4811994pfb.1 for ; Thu, 07 Jan 2016 21:46:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=40vpBCb7wAv+7+OHvpb72jexzMlIh8pMDCSyoXcupWs=; b=jHmWg4XdLiGN5I9fUuCzFfNrVFvszPO1nJRI02q4xT07DFlpfaHbKks8CgOzMplsd0 pzho8BSc1HU+HUSCMI2EFFRzBa0BCLrphqjuQAcT30EnxSV3fCzYyU3LvzY85lzKg85M AjihmDSTEgmFtzk58MO5oNDOH45q2t96ifx/KaV1jyazxvQ0AetvWEj5nGWtllceOH80 dhDWQV9Kolr4ricpmtzOd6Bf62K4tYzyPOv3B+EMzDSNItoCr70pAeS5wT6Uzg8IRTZG Qeqb1+zVSCpAOph+v+4caWKih8D0PO7cPCwOmUg+kZmG8UiT0uWUFZEACfzfC0HPDCot 0xNw== X-Received: by 10.98.2.200 with SMTP id 191mr1898932pfc.3.1452231976417; Thu, 07 Jan 2016 21:46:16 -0800 (PST) Received: from localhost ([140.205.54.7]) by smtp.gmail.com with ESMTPSA id t67sm1529055pfa.14.2016.01.07.21.46.15 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Thu, 07 Jan 2016 21:46:15 -0800 (PST) From: Baozeng Ding To: davem@davemloft.net, herbert@gondor.apana.org.au, daniel@iogearbox.net, tgraf@suug.ch, pablo@netfilter.org, chamaken@gmail.com, nicolas.dichtel@6wind.com, fw@strlen.de Cc: netdev@vger.kernel.org, Baozeng Ding Subject: [PATCH] netlink: fix null pointer dereference on nlk->groups Date: Fri, 8 Jan 2016 13:46:10 +0800 Message-Id: <1452231970-27357-1-git-send-email-sploving1@gmail.com> X-Mailer: git-send-email 1.9.1 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org If groups is not 0 and nlk->groups is NULL, it will not return immediately and cause a null pointer dereference later. Signed-off-by: Baozeng Ding --- net/netlink/af_netlink.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 59651af..38efde0 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -1524,6 +1524,7 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr, int err; long unsigned int groups = nladdr->nl_groups; bool bound; + unsigned long nlgroups; if (addr_len < sizeof(struct sockaddr_nl)) return -EINVAL; @@ -1576,14 +1577,17 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr, } } - if (!groups && (nlk->groups == NULL || !(u32)nlk->groups[0])) + if (nlk->groups == NULL) + return 0; + nlgroups = nlk->groups[0]; + if (!groups && !(u32)nlgroups) return 0; netlink_table_grab(); netlink_update_subscriptions(sk, nlk->subscriptions + hweight32(groups) - - hweight32(nlk->groups[0])); - nlk->groups[0] = (nlk->groups[0] & ~0xffffffffUL) | groups; + hweight32(nlgroups)); + nlk->groups[0] = (nlgroups & ~0xffffffffUL) | groups; netlink_update_listeners(sk); netlink_table_ungrab();