Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8de53dfb authored by Patrick McHardy's avatar Patrick McHardy
Browse files

ipv4: ipmr: fix NULL pointer deref during unres queue destruction 



Fix an oversight in ipmr_destroy_unres() - the net pointer is
unconditionally initialized to NULL, resulting in a NULL pointer
dereference later on.

Fix by adding a net pointer to struct mr_table and using it in
ipmr_destroy_unres().

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent b0ebb739

net/ipv4/ipmr.c

+5 −1
Original line number Diff line number Diff line
@@ -71,6 +71,9 @@ 


struct mr_table {

	struct list_head	list;

#ifdef CONFIG_NET_NS

	struct net		*net;

#endif

	u32			id;

	struct sock		*mroute_sk;

	struct timer_list	ipmr_expire_timer;
@@ -308,6 +311,7 @@ static struct mr_table *ipmr_new_table(struct net *net, u32 id) 
	mrt = kzalloc(sizeof(*mrt), GFP_KERNEL);

	if (mrt == NULL)

		return NULL;

	write_pnet(&mrt->net, net);

	mrt->id = id;



	/* Forwarding cache */
@@ -580,7 +584,7 @@ static inline void ipmr_cache_free(struct mfc_cache *c) 


static void ipmr_destroy_unres(struct mr_table *mrt, struct mfc_cache *c)

{

	struct net *net = NULL; //mrt->net;

	struct net *net = read_pnet(&mrt->net);

	struct sk_buff *skb;

	struct nlmsgerr *e;