From: Tony Cheneau <tony.cheneau@amnesiak.org>
To: "David S. Miller" <davem@davemloft.net>
Cc: netdev@vger.kernel.org,
Alexander Smirnov <alex.bluesman.smirnov@gmail.com>
Subject: [PATCH net-next v3 1/3] 6lowpan: Fix null pointer dereference in UDP uncompression function
Date: Wed, 11 Jul 2012 12:51:14 -0400 [thread overview]
Message-ID: <1342025476-20949-2-git-send-email-tony.cheneau@amnesiak.org> (raw)
In-Reply-To: <1342025476-20949-1-git-send-email-tony.cheneau@amnesiak.org>
When a UDP packet gets fragmented, a crash will occur at reassembly time.
This is because skb->transport_header is not set during earlier period of fragment reassembly.
As a consequence, call to udp_hdr() return NULL and uh (which is NULL) gets
dereferenced without much test.
Signed-off-by: Tony Cheneau <tony.cheneau@amnesiak.org>
---
net/ieee802154/6lowpan.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c
index f4070e5..0c9f6d1 100644
--- a/net/ieee802154/6lowpan.c
+++ b/net/ieee802154/6lowpan.c
@@ -315,6 +315,9 @@ lowpan_uncompress_udp_header(struct sk_buff *skb)
struct udphdr *uh = udp_hdr(skb);
u8 tmp;
+ if (!uh)
+ goto err;
+
if (lowpan_fetch_skb_u8(skb, &tmp))
goto err;
--
1.7.3.4
next prev parent reply other threads:[~2012-07-11 16:52 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-11 16:51 [PATCH net-next v3 0/3] 6lowpan: Various bug fixes Tony Cheneau
2012-07-11 16:51 ` Tony Cheneau [this message]
2012-07-11 16:51 ` [PATCH net-next v3 2/3] 6lowpan: Change byte order when storing/accessing u16 tag Tony Cheneau
2012-07-11 16:51 ` [PATCH net-next v3 3/3] 6lowpan: Change byte order when storing/accessing to len field Tony Cheneau
2012-07-17 5:52 ` [PATCH net-next v3 0/3] 6lowpan: Various bug fixes David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1342025476-20949-2-git-send-email-tony.cheneau@amnesiak.org \
--to=tony.cheneau@amnesiak.org \
--cc=alex.bluesman.smirnov@gmail.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.