[PATCH] ipv4: gre: Fix null pointer dereference in gre_cisco_err()

From: Wei Zhang
Date: Mon Mar 24 2014 - 03:52:26 EST

Next message: Lee Jones: "Re: [RFC V1 1/3] hwmon: da9063: HWMON driver"
Previous message: Stefan Biereigel: "[REGRESSION 3.14-rc6] Samsung N150 lid does not "open" after suspend to RAM."
Next in thread: wei zhang: "Re:[PATCH] ipv4: gre: Fix null pointer dereference in gre_cisco_err()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

When use the gre vport, openvswitch register a gre_cisco_protocol but
does not supply a err_handler with it. The gre_cisco_err() call the
err_handler without existence check, cause the kernel crash.

This patch base on v3.14-rc7. But the bug affect all kernel newer than
3.11!

Signed-off-by: Wei Zhang <asuka.com@xxxxxxx>
---
net/ipv4/gre_demux.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/ipv4/gre_demux.c b/net/ipv4/gre_demux.c
index 1863422..56b0d67 100644
--- a/net/ipv4/gre_demux.c
+++ b/net/ipv4/gre_demux.c
@@ -250,7 +250,7 @@ static void gre_cisco_err(struct sk_buff *skb, u32 info)
struct gre_cisco_protocol *proto;

proto = rcu_dereference(gre_cisco_proto_list[i]);
- if (!proto)
+ if (!proto || !proto->err_handler)
continue;

if (proto->err_handler(skb, info, &tpi) == PACKET_RCVD)
--
1.7.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Lee Jones: "Re: [RFC V1 1/3] hwmon: da9063: HWMON driver"
Previous message: Stefan Biereigel: "[REGRESSION 3.14-rc6] Samsung N150 lid does not "open" after suspend to RAM."
Next in thread: wei zhang: "Re:[PATCH] ipv4: gre: Fix null pointer dereference in gre_cisco_err()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]