From: David Miller <davem@davemloft.net>
To: eric.dumazet@gmail.com
Cc: nelhage@ksplice.com, netdev@vger.kernel.org
Subject: Re: NULL dereference in econet AUN-over-UDP receive
Date: Wed, 08 Dec 2010 18:02:15 -0800 (PST) [thread overview]
Message-ID: <20101208.180215.193709862.davem@davemloft.net> (raw)
In-Reply-To: <1291858667.2795.16.camel@edumazet-laptop>
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Thu, 09 Dec 2010 02:37:47 +0100
> Le mercredi 08 décembre 2010 à 19:30 -0500, Nelson Elhage a écrit :
>> While testing one of my econet reproducers on a patched kernel, I triggered a
>> NULL pointer dereference in the econet AUN-over-UDP receive path. Upon further
>> investigation, I now suspect that this code path hasn't worked at all in years.
>>
>> A copy of the oops is below for your reference, but here's my analysis:
>>
>> When aun_data_available receives a data packet (ah->code == 2), it calls
>> aun_incoming to process the skb. The start of aun_incoming looks like:
>>
>> static void aun_incoming(struct sk_buff *skb, struct aunhdr *ah, size_t len)
>> {
>> struct iphdr *ip = ip_hdr(skb);
>> unsigned char stn = ntohl(ip->saddr) & 0xff;
>> struct sock *sk = NULL;
>> struct sk_buff *newskb;
>> ---> struct ec_device *edev = skb->dev->ec_ptr;
>>
>
> This can be changed to use skb_dst(skb)->dev instead
>
> struct dst *dst = skb_dst(skb);
>
> if (dst) {
> dev = dst->dev;
> ...
> }
Nelson please test if this patch fixes your crash:
econet: Fix crash in aun_incoming().
Unconditional use of skb->dev won't work here,
try to fetch the econet device via skb_dst()->dev
instead.
Suggested by Eric Dumazet.
Reported-by: Nelson Elhage <nelhage@ksplice.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
index f180371..15dcc1a 100644
--- a/net/econet/af_econet.c
+++ b/net/econet/af_econet.c
@@ -851,9 +851,13 @@ static void aun_incoming(struct sk_buff *skb, struct aunhdr *ah, size_t len)
{
struct iphdr *ip = ip_hdr(skb);
unsigned char stn = ntohl(ip->saddr) & 0xff;
+ struct dst_entry *dst = skb_dst(skb);
+ struct ec_device *edev = NULL;
struct sock *sk = NULL;
struct sk_buff *newskb;
- struct ec_device *edev = skb->dev->ec_ptr;
+
+ if (dst)
+ edev = dst->dev->ec_ptr;
if (! edev)
goto bad;
next prev parent reply other threads:[~2010-12-09 2:01 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-09 0:30 NULL dereference in econet AUN-over-UDP receive Nelson Elhage
2010-12-09 1:37 ` Eric Dumazet
2010-12-09 2:02 ` David Miller [this message]
2010-12-09 4:18 ` Nelson Elhage
2010-12-09 4:50 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101208.180215.193709862.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=nelhage@ksplice.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).