* [PATCH net-next 1/4] 6lowpan: Fix in UDP uncompression function when a null pointer gets dereferenced
@ 2012-06-11 4:38 Tony Cheneau
0 siblings, 0 replies; only message in thread
From: Tony Cheneau @ 2012-06-11 4:38 UTC (permalink / raw)
To: netdev, linux-zigbee-devel; +Cc: alex.bluesman.smirnov
When a UDP packet gets fragmented, a crash will occur during
reassembly.
skb->transport_header is not set during earlier period of fragment
reassembly. As a consequence, calll to udp_hdr() return NULL and uh
(which is NULL) gets dereferenced without much test.
I will post a patch later that will set skb->transport_header
correctly in lowpan_process_data(), so that
lowpan_uncompress_udp_header() behave as intended.
---
net/ieee802154/6lowpan.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c
index 32eb417..a52e795 100644
--- a/net/ieee802154/6lowpan.c
+++ b/net/ieee802154/6lowpan.c
@@ -317,6 +317,9 @@ lowpan_uncompress_udp_header(struct sk_buff *skb)
{
struct udphdr *uh = udp_hdr(skb);
u8 tmp;
+
+ if (!uh)
+ goto err;
tmp = lowpan_fetch_skb_u8(skb);
--
1.7.3.4
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2012-06-11 4:46 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-06-11 4:38 [PATCH net-next 1/4] 6lowpan: Fix in UDP uncompression function when a null pointer gets dereferenced Tony Cheneau
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.