Re: [regression] nf_iterate(), BUG: unable to handle kernel NULLpointer dereference

[David Miller]

From: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Date: Thu, 24 Jul 2008 14:13:42 -0700 (PDT)

> Finally, why do the "ct->ext" dereference thing, when we know it has
> to be equal to "new"?

Actually in the old code this precondition didn't hold, which explains
how it is.

The old code looked like:

	if (newlen >= ksize(ct->ext)) {
		new = kmalloc(newlen, gfp);
		if (!new)
			return NULL;
 ...
		ct->ext = new;
	}

	ct->ext->offset[id] = newoff;
	ct->ext->len = newlen;
	memset((void *)ct->ext + newoff, 0, newlen - newoff);
	return (void *)ct->ext + newoff;

and in that context 'new' is only assigned in the "newlen >=" guarded
code block.

Anyways, it does seem that we should indeed only update the
new larger length only after we've initialized the contents.

Note that we could make krealloc() and friends clear out the trailing
bits of the new buffer, and therefore the caller wouldn't even need to
be mindful of such things.

I don't know if that's desirable in general, probably it isn't.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/