lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 29 Dec 2015 19:42:36 +0000 From: Rainer Weikusat <rweikusat@...ileactivedefense.com> To: Jacob Siverskog <jacob@...nage.engineering> Cc: netdev@...r.kernel.org, "David S . Miller" <davem@...emloft.net>, Herbert Xu <herbert@...dor.apana.org.au>, Rainer Weikusat <rweikusat@...ileactivedefense.com>, Eric Dumazet <edumazet@...gle.com>, Konstantin Khlebnikov <khlebnikov@...dex-team.ru>, Al Viro <viro@...iv.linux.org.uk>, linux-kernel@...r.kernel.org Subject: Re: [PATCH] net: Fix potential NULL pointer dereference in __skb_try_recv_datagram Jacob Siverskog <jacob@...nage.engineering> writes: > This should fix a NULL pointer dereference I encountered (dump > below). Since __skb_unlink is called while walking, > skb_queue_walk_safe should be used. The code in question is: skb_queue_walk(queue, skb) { *last = skb; *peeked = skb->peeked; if (flags & MSG_PEEK) { if (_off >= skb->len && (skb->len || _off || skb->peeked)) { _off -= skb->len; continue; } skb = skb_set_peeked(skb); error = PTR_ERR(skb); if (IS_ERR(skb)) { spin_unlock_irqrestore(&queue->lock, cpu_flags); goto no_packet; } atomic_inc(&skb->users); } else __skb_unlink(skb, queue); spin_unlock_irqrestore(&queue->lock, cpu_flags); *off = _off; return skb; } __skb_unlink is only called prior to returning from the function. Consequently, it won't affect the skb_queue_walk code. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists