Commit 3c8a9c63 authored Jul 05, 2009 by Mariusz Kozlowski Committed by David S. Miller Jul 06, 2009

tun/tap: Fix crashes if open() /dev/net/tun and then poll() it.



Fix NULL pointer dereference in tun_chr_pool() introduced by commit
33dccbb0 ("tun: Limit amount of queued
packets per device") and triggered by this code:

	int fd;
	struct pollfd pfd;
	fd = open("/dev/net/tun", O_RDWR);
	pfd.fd = fd;
	pfd.events = POLLIN | POLLOUT;
	poll(&pfd, 1, 0);

Reported-by: Eugene Kapun <abacabadabacaba@gmail.com>
Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 1ded3f59

drivers/net/tun.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -486,12 +486,14 @@ static unsigned int tun_chr_poll(struct file file, poll_table wait)
		{
		struct tun_file *tfile = file->private_data;
		struct tun_struct *tun = __tun_get(tfile);
		struct sock *sk = tun->sk;
		struct sock *sk;
		unsigned int mask = 0;

		if (!tun)
		return POLLERR;

		sk = tun->sk;

		DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name);

		poll_wait(file, &tun->socket.wait, wait);