Message ID | 20190726080307.4414-1-baijiaju1990@gmail.com |
---|---|
State | Rejected |
Delegated to: | David Miller |
Headers | show |
Series | [1/2] net: ipv6: Fix a possible null-pointer dereference in ip6_xmit() | expand |
On Fri, Jul 26, 2019 at 4:03 AM Jia-Ju Bai <baijiaju1990@gmail.com> wrote: > > In ip6_xmit(), there is an if statement on line 245 to check whether > np is NULL: > if (np) > > When np is NULL, it is used on line 251: > ip6_autoflowlabel(net, np) > if (!np->autoflowlabel_set) > > Thus, a possible null-pointer dereference may occur. > > To fix this bug, np is checked before calling > ip6_autoflowlabel(net,np). > > This bug is found by a static analysis tool STCheck written by us. > > Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> > --- > net/ipv6/ip6_output.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c > index 8e49fd62eea9..07db5ab6e970 100644 > --- a/net/ipv6/ip6_output.c > +++ b/net/ipv6/ip6_output.c > @@ -247,8 +247,10 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6, > if (hlimit < 0) > hlimit = ip6_dst_hoplimit(dst); > > - ip6_flow_hdr(hdr, tclass, ip6_make_flowlabel(net, skb, fl6->flowlabel, > - ip6_autoflowlabel(net, np), fl6)); > + if (np) { > + ip6_flow_hdr(hdr, tclass, ip6_make_flowlabel(net, skb, fl6->flowlabel, > + ip6_autoflowlabel(net, np), fl6)); > + } I don't know when np can be NULL in ip6_xmit. But if so, must still setup the ipv6 header. A more narrow change would be in ip6_autoflowlabel - if (!np->autoflowlabel_set) + if (!np || !np->autoflowlabel_set)
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 8e49fd62eea9..07db5ab6e970 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -247,8 +247,10 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6, if (hlimit < 0) hlimit = ip6_dst_hoplimit(dst); - ip6_flow_hdr(hdr, tclass, ip6_make_flowlabel(net, skb, fl6->flowlabel, - ip6_autoflowlabel(net, np), fl6)); + if (np) { + ip6_flow_hdr(hdr, tclass, ip6_make_flowlabel(net, skb, fl6->flowlabel, + ip6_autoflowlabel(net, np), fl6)); + } hdr->payload_len = htons(seg_len); hdr->nexthdr = proto;
In ip6_xmit(), there is an if statement on line 245 to check whether np is NULL: if (np) When np is NULL, it is used on line 251: ip6_autoflowlabel(net, np) if (!np->autoflowlabel_set) Thus, a possible null-pointer dereference may occur. To fix this bug, np is checked before calling ip6_autoflowlabel(net,np). This bug is found by a static analysis tool STCheck written by us. Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> --- net/ipv6/ip6_output.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)