Re: [PATCH] net: fix NULL pointer reference in cipso_v4_doi_free

[王贇 <yun.wang@linux.alibaba.com>]

Just a ping... Should we fix this?

Regards,
Michael Wang

On 2021/8/26 上午11:42, 王贇 wrote:
> In netlbl_cipsov4_add_std() when 'doi_def->map.std' alloc
> failed, we sometime observe panic:
> 
>   BUG: kernel NULL pointer dereference, address:
>   ...
>   RIP: 0010:cipso_v4_doi_free+0x3a/0x80
>   ...
>   Call Trace:
>    netlbl_cipsov4_add_std+0xf4/0x8c0
>    netlbl_cipsov4_add+0x13f/0x1b0
>    genl_family_rcv_msg_doit.isra.15+0x132/0x170
>    genl_rcv_msg+0x125/0x240
> 
> This is because in cipso_v4_doi_free() there is no check
> on 'doi_def->map.std' when 'doi_def->type' equal 1, which
> is possibe, since netlbl_cipsov4_add_std() haven't initialize
> it before alloc 'doi_def->map.std'.
> 
> This patch just add the check to prevent panic happen for similar
> cases.
> 
> Reported-by: Abaci <abaci@linux.alibaba.com>
> Signed-off-by: Michael Wang <yun.wang@linux.alibaba.com>
> ---
> 
>  net/ipv4/cipso_ipv4.c | 18 ++++++++++--------
>  1 file changed, 10 insertions(+), 8 deletions(-)
> 
> diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
> index 099259f..7fbd0b5 100644
> --- a/net/ipv4/cipso_ipv4.c
> +++ b/net/ipv4/cipso_ipv4.c
> @@ -465,14 +465,16 @@ void cipso_v4_doi_free(struct cipso_v4_doi *doi_def)
>  	if (!doi_def)
>  		return;
> 
> -	switch (doi_def->type) {
> -	case CIPSO_V4_MAP_TRANS:
> -		kfree(doi_def->map.std->lvl.cipso);
> -		kfree(doi_def->map.std->lvl.local);
> -		kfree(doi_def->map.std->cat.cipso);
> -		kfree(doi_def->map.std->cat.local);
> -		kfree(doi_def->map.std);
> -		break;
> +	if (doi_def->map.std) {
> +		switch (doi_def->type) {
> +		case CIPSO_V4_MAP_TRANS:
> +			kfree(doi_def->map.std->lvl.cipso);
> +			kfree(doi_def->map.std->lvl.local);
> +			kfree(doi_def->map.std->cat.cipso);
> +			kfree(doi_def->map.std->cat.local);
> +			kfree(doi_def->map.std);
> +			break;
> +		}
>  	}
>  	kfree(doi_def);
>  }
>