lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20161122.100613.2091017686933180253.davem@davemloft.net>
Date:   Tue, 22 Nov 2016 10:06:13 -0500 (EST)
From:   David Miller <davem@...emloft.net>
To:     hannes@...essinduktion.org
Cc:     manjeet.p@...sung.com, kuznet@....inr.ac.ru, jmorris@...ei.org,
        yoshfuji@...ux-ipv6.org, kaber@...sh.net, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org, pankaj.m@...sung.com,
        ajeet.y@...sung.com, r.thapliyal@...sung.com
Subject: Re: [PATCH] ipv6:ipv6_pinfo dereferenced after NULL check

From: Hannes Frederic Sowa <hannes@...essinduktion.org>
Date: Tue, 22 Nov 2016 13:26:45 +0100

> On 22.11.2016 07:27, Manjeet Pawar wrote:
>> From: Rohit Thapliyal <r.thapliyal@...sung.com>
>> 
>> np checked for NULL and then dereferenced. It should be modified
>> for NULL case.
>> 
>> Signed-off-by: Rohit Thapliyal <r.thapliyal@...sung.com>
>> Signed-off-by: Manjeet Pawar <manjeet.p@...sung.com>
>> ---
>>  net/ipv6/ip6_output.c | 9 +++++----
>>  1 file changed, 5 insertions(+), 4 deletions(-)
>> 
>> diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
>> index 1dfc402..c2afa14 100644
>> --- a/net/ipv6/ip6_output.c
>> +++ b/net/ipv6/ip6_output.c
>> @@ -205,14 +205,15 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
>>  	/*
>>  	 *	Fill in the IPv6 header
>>  	 */
>> -	if (np)
>> +	if (np) {
>>  		hlimit = np->hop_limit;
>> +		ip6_flow_hdr(
>> +					hdr, tclass, ip6_make_flowlabel(
>> +					net, skb, fl6->flowlabel,
>> +					np->autoflowlabel, fl6));
>> +	}
>>  	if (hlimit < 0)
>>  		hlimit = ip6_dst_hoplimit(dst);
>>  
>> -	ip6_flow_hdr(hdr, tclass, ip6_make_flowlabel(net, skb, fl6->flowlabel,
>> -				np->autoflowlabel, fl6));
>> -
>>  	hdr->payload_len = htons(seg_len);
>>  	hdr->nexthdr = proto;
>>  	hdr->hop_limit = hlimit;
>> 
> 
> 
> We always should initialize hdr and not skip the ip6_flow_hdr call.
> 
> Do you saw a bug or did you find this by code review? I wonder if np can
> actually be NULL at this point. Maybe we can just eliminate the NULL check.

Also the indentation is really off.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ