From: Shan Wei <shanwei@cn.fujitsu.com>
To: Thomas Dreibholz <dreibh@iem.uni-due.de>
Cc: netdev@vger.kernel.org, linux-sctp@vger.kernel.org,
Martin Becke <martin.becke@uni-due.de>
Subject: Re: [PATCH] net: SCTP NULL-pointer dereference problem description
Date: Wed, 15 Sep 2010 08:44:24 +0000 [thread overview]
Message-ID: <4C908768.4040502@cn.fujitsu.com> (raw)
In-Reply-To: <201009151003.17407.dreibh@iem.uni-due.de>
Thomas Dreibholz wrote, at 09/15/2010 04:03 PM:
> sctp_assoc_update_retran_path() in net/sctp/associola.c may dereference a
> NULL-pointer when compiled with SCTP_DEBUG option: t will be NULL if there is
> no usable path for retransmission. SCTP_DEBUG_PRINTK_IPADDR() makes an access
> to t->ipaddr.v4.sin_port, without checking t before. t=NULL => oops.
>
> The patch below against 2.6.36-rc4 (git repository) simply ensures that t is
> checked for not being set to NULL before calling SCTP_DEBUG_PRINTK_IPADDR().
This bug has been reported by WeiYongjun and fixed by vlad for several months.
About the details see .
http://marc.info/?l=linux-sctp&m\x127359276009851&w=2
But this patch is still in vlad's net-next tree, not in main tree.
See the patch:
http://git.kernel.org/?p=linux/kernel/git/vxy/lksctp-dev.git;a=commit;hë1639d206320e6a09168d6dd77306eaf5f02582
>
>
> Signed-off-by: Thomas Dreibholz <dreibh@iem.uni-due.de>
> ---
> diff --git a/net/sctp/associola.c b/net/sctp/associola.c
> index e41feff..b2688a4 100644
> --- a/net/sctp/associola.c
> +++ b/net/sctp/associola.c
> @@ -1321,15 +1321,15 @@ void sctp_assoc_update_retran_path(struct
> sctp_association *asoc)
> }
> }
>
> - if (t)
> + if (t) {
> asoc->peer.retran_path = t;
> -
> - SCTP_DEBUG_PRINTK_IPADDR("sctp_assoc_update_retran_path:association"
> - " %p addr: ",
> - " port: %d\n",
> - asoc,
> - (&t->ipaddr),
> - ntohs(t->ipaddr.v4.sin_port));
> + SCTP_DEBUG_PRINTK_IPADDR("sctp_assoc_update_retran_path:association"
> + " %p addr: ",
> + " port: %d\n",
> + asoc,
> + (&t->ipaddr),
> + ntohs(t->ipaddr.v4.sin_port));
> + }
> }
>
> /* Choose the transport for sending retransmit packet. */
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
--
Best Regards
-----
Shan Wei
WARNING: multiple messages have this Message-ID (diff)
From: Shan Wei <shanwei@cn.fujitsu.com>
To: Thomas Dreibholz <dreibh@iem.uni-due.de>
Cc: netdev@vger.kernel.org, linux-sctp@vger.kernel.org,
Martin Becke <martin.becke@uni-due.de>
Subject: Re: [PATCH] net: SCTP NULL-pointer dereference problem description and fix
Date: Wed, 15 Sep 2010 16:44:24 +0800 [thread overview]
Message-ID: <4C908768.4040502@cn.fujitsu.com> (raw)
In-Reply-To: <201009151003.17407.dreibh@iem.uni-due.de>
Thomas Dreibholz wrote, at 09/15/2010 04:03 PM:
> sctp_assoc_update_retran_path() in net/sctp/associola.c may dereference a
> NULL-pointer when compiled with SCTP_DEBUG option: t will be NULL if there is
> no usable path for retransmission. SCTP_DEBUG_PRINTK_IPADDR() makes an access
> to t->ipaddr.v4.sin_port, without checking t before. t==NULL => oops.
>
> The patch below against 2.6.36-rc4 (git repository) simply ensures that t is
> checked for not being set to NULL before calling SCTP_DEBUG_PRINTK_IPADDR().
This bug has been reported by WeiYongjun and fixed by vlad for several months.
About the details see .
http://marc.info/?l=linux-sctp&m=127359276009851&w=2
But this patch is still in vlad's net-next tree, not in main tree.
See the patch:
http://git.kernel.org/?p=linux/kernel/git/vxy/lksctp-dev.git;a=commit;h=eb1639d206320e6a09168d6dd77306eaf5f02582
>
>
> Signed-off-by: Thomas Dreibholz <dreibh@iem.uni-due.de>
> ---
> diff --git a/net/sctp/associola.c b/net/sctp/associola.c
> index e41feff..b2688a4 100644
> --- a/net/sctp/associola.c
> +++ b/net/sctp/associola.c
> @@ -1321,15 +1321,15 @@ void sctp_assoc_update_retran_path(struct
> sctp_association *asoc)
> }
> }
>
> - if (t)
> + if (t) {
> asoc->peer.retran_path = t;
> -
> - SCTP_DEBUG_PRINTK_IPADDR("sctp_assoc_update_retran_path:association"
> - " %p addr: ",
> - " port: %d\n",
> - asoc,
> - (&t->ipaddr),
> - ntohs(t->ipaddr.v4.sin_port));
> + SCTP_DEBUG_PRINTK_IPADDR("sctp_assoc_update_retran_path:association"
> + " %p addr: ",
> + " port: %d\n",
> + asoc,
> + (&t->ipaddr),
> + ntohs(t->ipaddr.v4.sin_port));
> + }
> }
>
> /* Choose the transport for sending retransmit packet. */
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
--
Best Regards
-----
Shan Wei
next prev parent reply other threads:[~2010-09-15 8:44 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-15 8:03 [PATCH] net: SCTP NULL-pointer dereference problem description and fix Thomas Dreibholz
2010-09-15 8:03 ` Thomas Dreibholz
2010-09-15 8:44 ` Shan Wei [this message]
2010-09-15 8:44 ` Shan Wei
2010-09-15 12:53 ` Thomas Dreibholz
2010-09-15 12:53 ` Thomas Dreibholz
2010-09-15 13:02 ` [PATCH] net: SCTP NULL-pointer dereference problem description Vlad Yasevich
2010-09-15 13:02 ` [PATCH] net: SCTP NULL-pointer dereference problem description and fix Vlad Yasevich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C908768.4040502@cn.fujitsu.com \
--to=shanwei@cn.fujitsu.com \
--cc=dreibh@iem.uni-due.de \
--cc=linux-sctp@vger.kernel.org \
--cc=martin.becke@uni-due.de \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.