| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1351491005.7394.7.camel@edumazet-glaptop>
Date: Mon, 29 Oct 2012 07:10:05 +0100
From: Eric Dumazet <eric.dumazet@...il.com>
To: Cong Wang <amwang@...hat.com>
Cc: netdev@...r.kernel.org, "David S. Miller" <davem@...emloft.net>
Subject: Re: [Patch net-next] ipv6: fix a potential NULL deref
On Mon, 2012-10-29 at 11:50 +0800, Cong Wang wrote:
> In ipv6_del_addr():
>
> if (rt != net->ipv6.ip6_null_entry &&
> addrconf_is_prefix_route(rt)) {
> if (onlink == 0) {
> ip6_del_rt(rt);
> rt = NULL;
> } else if (!(rt->rt6i_flags & RTF_EXPIRES)) {
> rt6_set_expires(rt, expires);
> }
> }
> dst_release(&rt->dst);
>
> obviously rt could be NULL'd before dst_release(), so
> we have to check if rt is NULL before calling it.
>
> Reported-by: Fengguang Wu <fengguang.wu@...el.com>
> Cc: David S. Miller <davem@...emloft.net>
> Signed-off-by: Cong Wang <amwang@...hat.com>
>
> ---
> diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
> index 8f0b12a..c467dbb 100644
> --- a/net/ipv6/addrconf.c
> +++ b/net/ipv6/addrconf.c
> @@ -951,7 +951,8 @@ static void ipv6_del_addr(struct inet6_ifaddr *ifp)
> rt6_set_expires(rt, expires);
> }
> }
> - dst_release(&rt->dst);
> + if (rt)
> + dst_release(&rt->dst);
> }
>
dst_release() is like kfree(), it accepts a NULL argument.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists