[PATCH net-next 1/4] 6lowpan: Fix in UDP uncompression function when a null pointer gets dereferenced

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Tony Cheneau <tony.cheneauh@amnesiak.org>
To: netdev@vger.kernel.org, linux-zigbee-devel@lists.sourceforge.net
Cc: alex.bluesman.smirnov@gmail.com
Subject: [PATCH net-next 1/4] 6lowpan: Fix in UDP uncompression function when a null pointer gets dereferenced
Date: Mon, 11 Jun 2012 00:38:52 -0400	[thread overview]
Message-ID: <20120611003852.265750da@dualbox> (raw)

When a UDP packet gets fragmented, a crash will occur during
reassembly.
skb->transport_header is not set during earlier period of fragment
reassembly. As a consequence, calll to udp_hdr() return NULL and uh
(which is NULL) gets dereferenced without much test.
I will post a patch later that will set skb->transport_header
 correctly in lowpan_process_data(), so that
lowpan_uncompress_udp_header() behave as intended.
---
 net/ieee802154/6lowpan.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c
index 32eb417..a52e795 100644
--- a/net/ieee802154/6lowpan.c
+++ b/net/ieee802154/6lowpan.c
@@ -317,6 +317,9 @@ lowpan_uncompress_udp_header(struct sk_buff *skb)
 {
 	struct udphdr *uh = udp_hdr(skb);
 	u8 tmp;
+	
+	if (!uh)
+		goto err;
 
 	tmp = lowpan_fetch_skb_u8(skb);
 
-- 
1.7.3.4

                 reply	other threads:[~2012-06-11  4:46 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:32eb417 dfblob:a52e795 )
 OR (
bs:"[PATCH net-next 1/4] 6lowpan: Fix in UDP uncompression function when a null pointer gets dereferenced" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120611003852.265750da@dualbox \
    --to=tony.cheneauh@amnesiak.org \
    --cc=alex.bluesman.smirnov@gmail.com \
    --cc=linux-zigbee-devel@lists.sourceforge.net \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.