projects / openwrt / staging / blogic.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6e5928f)
6lowpan: Fix null pointer dereference in UDP uncompression function
authorTony Cheneau <tony.cheneau@amnesiak.org>
Wed, 11 Jul 2012 06:51:14 +0000 (06:51 +0000)
committerDavid S. Miller <davem@davemloft.net>
Tue, 17 Jul 2012 05:51:15 +0000 (22:51 -0700)
When a UDP packet gets fragmented, a crash will occur at reassembly time.
This is because skb->transport_header is not set during earlier period of fragment reassembly.
As a consequence, call to udp_hdr() return NULL and uh (which is NULL) gets
dereferenced without much test.

Signed-off-by: Tony Cheneau <tony.cheneau@amnesiak.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ieee802154/6lowpan.c patch | blob | history

diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c
index 6871ec1b30f88b724d499db4c307047ed7798869..416a54d31fb2088360a713e772374fef7fbe12c8 100644 (file)
--- a/net/ieee802154/6lowpan.c
+++ b/net/ieee802154/6lowpan.c
@@ -314,6 +314,9 @@ lowpan_uncompress_udp_header(struct sk_buff *skb)
        struct udphdr *uh = udp_hdr(skb);
        u8 tmp;
 
+       if (!uh)
+               goto err;
+
        if (lowpan_fetch_skb_u8(skb, &tmp))
                goto err;
 
John Crispins staging tree