Re: [Bugme-new] [Bug 8107] New: dev->header_cache_update has a random value

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Andrew Morton <akpm@linux-foundation.org>
To: netdev@vger.kernel.org
Cc: "bugme-daemon@kernel-bugs.osdl.org"
	<bugme-daemon@bugzilla.kernel.org>,
	loveminix@yahoo.com.cn, khc@pm.waw.pl
Subject: Re: [Bugme-new] [Bug 8107] New: dev->header_cache_update has a random value
Date: Thu, 1 Mar 2007 14:34:17 -0800	[thread overview]
Message-ID: <20070301143417.00b49e81.akpm@linux-foundation.org> (raw)
In-Reply-To: <200703011933.l21JX5hw018666@fire-2.osdl.org>

On Thu, 1 Mar 2007 11:33:05 -0800
bugme-daemon@bugzilla.kernel.org wrote:

> http://bugzilla.kernel.org/show_bug.cgi?id=8107
> 
>            Summary: dev->header_cache_update has a random value
>     Kernel Version: 2.6.20
>             Status: NEW
>           Severity: high
>              Owner: jgarzik@pobox.com
>          Submitter: loveminix@yahoo.com.cn
> 
> 
> Distribution: Kernel 2.6.20
> 
> Problem Description:
> 
> In struct net_device, there are two fields: hard_header_cache and 
> header_cache_update, both of which are function pointers. The third field, 
> hard_header, is also a function pointer. Whenever hard_header points to a valid 
> function, both hard_header_cache and header_cache_update should have a known 
> value, either NULL or a valid function pointer. However, in 
> drivers/net/wan/hdlc_cisco.c, in function static int cisco_ioctl(struct 
> net_device *dev, struct ifreq *ifr), where dev->hard_header is assigned a valid 
> function, and dev->hard_header_cache is assigned a known value (NULL), dev-
> >header_cache_update is not set to a known value:
> 
> dev->hard_start_xmit = hdlc->xmit;
>         dev->hard_header = cisco_hard_header;
>         dev->hard_header_cache = NULL;
>         dev->type = ARPHRD_CISCO;
>         dev->flags = IFF_POINTOPOINT | IFF_NOARP;
>         dev->addr_len = 0;
> 
> This may cause serious problems when dev->header_cache_update is invoked, 
> because it has an uninitialized value.
> 
> Steps to reproduce:
> 
> I found this suspicious spot with the help of a code-checking tool.
> 

Like this?



From: Andrew Morton <akpm@linux-foundation.org>

Fix http://bugzilla.kernel.org/show_bug.cgi?id=8107: we weren't initialising
the header_cache_update field.

Cc: Krzysztof Halasa <khc@pm.waw.pl>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 drivers/net/wan/hdlc_cisco.c |    1 +
 1 files changed, 1 insertion(+)

diff -puN drivers/net/wan/hdlc_cisco.c~cisco_ioctl-initialise-header_cache_update drivers/net/wan/hdlc_cisco.c
--- a/drivers/net/wan/hdlc_cisco.c~cisco_ioctl-initialise-header_cache_update
+++ a/drivers/net/wan/hdlc_cisco.c
@@ -366,6 +366,7 @@ static int cisco_ioctl(struct net_device
 		dev->hard_start_xmit = hdlc->xmit;
 		dev->hard_header = cisco_hard_header;
 		dev->hard_header_cache = NULL;
+		dev->header_cache_update = NULL;
 		dev->type = ARPHRD_CISCO;
 		dev->flags = IFF_POINTOPOINT | IFF_NOARP;
 		dev->addr_len = 0;
_

next      parent reply	other threads:[~2007-03-01 22:34 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <200703011933.l21JX5hw018666@fire-2.osdl.org>
2007-03-01 22:34 ` Andrew Morton [this message]
2007-03-01 22:37   ` [Bugme-new] [Bug 8107] New: dev->header_cache_update has a random value Stephen Hemminger
2007-03-01 22:54     ` Andrew Morton
2007-03-01 23:30       ` Stephen Hemminger
2007-03-02  1:38         ` David Miller
2007-03-02  1:33     ` David Miller
2007-03-02 15:29   ` Krzysztof Halasa
2007-03-02 19:23     ` David Miller
2007-03-02 23:38       ` Krzysztof Halasa
2007-03-02 23:43         ` David Miller
2007-03-02 23:38       ` Krzysztof Halasa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20070301143417.00b49e81.akpm@linux-foundation.org \
    --to=akpm@linux-foundation.org \
    --cc=bugme-daemon@bugzilla.kernel.org \
    --cc=khc@pm.waw.pl \
    --cc=loveminix@yahoo.com.cn \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).