lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[SCTP]: Fix NULL dereference of asoc.

Browse Source 
Commit 7cbca67c07 ("[IPV6]: Support
Source Address Selection API (RFC5014)") introduced NULL dereference
of asoc to sctp_v6_get_saddr in net/sctp/ipv6.c.
Pointed out by Johann Felix Soden <johfel@users.sourceforge.net>.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
This commit is contained in:
YOSHIFUJI Hideaki
2008-05-29 19:55:05 +09:00
parent 7dccf1f4e1
commit e51171019b
4 changed files with 8 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
include/net/sctp/structs.h
View File

@@ -548,7 +548,8 @@ struct sctp_af {
struct dst_entry *(*get_dst) (struct sctp_association *asoc, struct dst_entry *(*get_dst) (struct sctp_association *asoc,
union sctp_addr *daddr, union sctp_addr *daddr,
union sctp_addr *saddr); union sctp_addr *saddr);
void (*get_saddr) (struct sctp_association *asoc, void (*get_saddr) (struct sctp_sock *sk,
struct sctp_association *asoc,
struct dst_entry *dst, struct dst_entry *dst,
union sctp_addr *daddr, union sctp_addr *daddr,
union sctp_addr *saddr); union sctp_addr *saddr);

5
net/sctp/ipv6.c
View File

@@ -299,7 +299,8 @@ static inline int sctp_v6_addr_match_len(union sctp_addr *s1,
/* Fills in the source address(saddr) based on the destination address(daddr) /* Fills in the source address(saddr) based on the destination address(daddr)
* and asoc's bind address list. * and asoc's bind address list.
*/ */
static void sctp_v6_get_saddr(struct sctp_association *asoc, static void sctp_v6_get_saddr(struct sctp_sock *sk,
struct sctp_association *asoc,
struct dst_entry *dst, struct dst_entry *dst,
union sctp_addr *daddr, union sctp_addr *daddr,
union sctp_addr *saddr) union sctp_addr *saddr)
@@ -318,7 +319,7 @@ static void sctp_v6_get_saddr(struct sctp_association *asoc,
if (!asoc) { if (!asoc) {
ipv6_dev_get_saddr(dst ? ip6_dst_idev(dst)->dev : NULL, ipv6_dev_get_saddr(dst ? ip6_dst_idev(dst)->dev : NULL,
&daddr->v6.sin6_addr, &daddr->v6.sin6_addr,
inet6_sk(asoc->base.sk)->srcprefs, inet6_sk(&sk->inet.sk)->srcprefs,
&saddr->v6.sin6_addr); &saddr->v6.sin6_addr);
SCTP_DEBUG_PRINTK("saddr from ipv6_get_saddr: " NIP6_FMT "\n", SCTP_DEBUG_PRINTK("saddr from ipv6_get_saddr: " NIP6_FMT "\n",
NIP6(saddr->v6.sin6_addr)); NIP6(saddr->v6.sin6_addr));

3
net/sctp/protocol.c
View File

@@ -519,7 +519,8 @@ out:
/* For v4, the source address is cached in the route entry(dst). So no need /* For v4, the source address is cached in the route entry(dst). So no need
* to cache it separately and hence this is an empty routine. * to cache it separately and hence this is an empty routine.
*/ */
static void sctp_v4_get_saddr(struct sctp_association *asoc, static void sctp_v4_get_saddr(struct sctp_sock *sk,
struct sctp_association *asoc,
struct dst_entry *dst, struct dst_entry *dst,
union sctp_addr *daddr, union sctp_addr *daddr,
union sctp_addr *saddr) union sctp_addr *saddr)

2
net/sctp/transport.c
View File

@@ -291,7 +291,7 @@ void sctp_transport_route(struct sctp_transport *transport,
if (saddr) if (saddr)
memcpy(&transport->saddr, saddr, sizeof(union sctp_addr)); memcpy(&transport->saddr, saddr, sizeof(union sctp_addr));
else else
af->get_saddr(asoc, dst, daddr, &transport->saddr); af->get_saddr(opt, asoc, dst, daddr, &transport->saddr);
transport->dst = dst; transport->dst = dst;
if ((transport->param_flags & SPP_PMTUD_DISABLE) && transport->pathmtu) { if ((transport->param_flags & SPP_PMTUD_DISABLE) && transport->pathmtu) {