Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d3fa76ee authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller
Browse files

[NET_SCHED]: cls_basic: fix NULL pointer dereference 



cls_basic doesn't allocate tp->root before it is linked into the
active classifier list, resulting in a NULL pointer dereference
when packets hit the classifier before its ->change function is
called.

Reported by Chris Madden <chris@reflexsecurity.com>

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent c93a882e

net/sched/cls_basic.c

+7 −9
Original line number Diff line number Diff line
@@ -81,6 +81,13 @@ static void basic_put(struct tcf_proto *tp, unsigned long f) 


static int basic_init(struct tcf_proto *tp)

{

	struct basic_head *head;



	head = kzalloc(sizeof(*head), GFP_KERNEL);

	if (head == NULL)

		return -ENOBUFS;

	INIT_LIST_HEAD(&head->flist);

	tp->root = head;

	return 0;

}
@@ -176,15 +183,6 @@ static int basic_change(struct tcf_proto *tp, unsigned long base, u32 handle, 
	}



	err = -ENOBUFS;

	if (head == NULL) {

		head = kzalloc(sizeof(*head), GFP_KERNEL);

		if (head == NULL)

			goto errout;



		INIT_LIST_HEAD(&head->flist);

		tp->root = head;

	}



	f = kzalloc(sizeof(*f), GFP_KERNEL);

	if (f == NULL)

		goto errout;