From: 冯嘉仪 <23210240148@m.fudan.edu.cn>
To: davem <davem@davemloft.net>
Cc: dsahern <dsahern@kernel.org>, edumazet <edumazet@google.com>,
kuba <kuba@kernel.org>, pabeni <pabeni@redhat.com>,
netdev <netdev@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: [BUG] Potential Null Pointer Dereference in rt6_device_match Function
Date: Sat, 14 Feb 2026 20:57:41 +0800 [thread overview]
Message-ID: <tencent_080DAAF351096CB43CF4BC40@qq.com> (raw)
Dear Maintainer,
Our team recently developed a null-pointer-dereference (NPD) vulnerability detection tool, and we used it to scan the Linux Kernel (version 6.9.6). After manual review, we identified a potentially vulnerable code snippet that could lead to a null-pointer dereference bug. We would appreciate your expert insight to confirm whether this vulnerability could indeed pose a risk to the system.
Vulnerability Description:
File: net/ipv6/route.c
In the function rt6_device_match, we found the following line of code:
if (nh->fib_nh_flags & RTNH_F_DEAD) {
The issue arises because the nh pointer may be passed as NULL in certain situations. Since nh is NULL, accessing nh->fib_nh_flags in the statement could result in a null-pointer dereference.
Proposed Fix:
To prevent the potential null-pointer dereference, we suggest adding a NULL check for the nh pointer before attempting to dereference nh->fib_nh_flags in the line.
Request for Review:
We would appreciate your expert insight to confirm whether this vulnerability indeed poses a risk to the system, and if the proposed fix is appropriate. If there are reasons why this issue does not present a real risk (e.g., the NULL check is redundant or unnecessary), we would be grateful for clarification.
Thank you for your time and consideration.
next reply other threads:[~2026-02-14 12:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-14 12:57 冯嘉仪 [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-02-14 12:54 [BUG] Potential Null Pointer Dereference in rt6_device_match Function 冯嘉仪
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tencent_080DAAF351096CB43CF4BC40@qq.com \
--to=23210240148@m.fudan.edu.cn \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.