Re: [PATCH] potential NULL pointer deref in net/key/af_key.c

[Jesper Juhl]

On 27/11/06, David Miller <davem@xxxxxxxxxxxxx> wrote:
> From: Jesper Juhl <jesper.juhl@xxxxxxxxx>
> Date: Mon, 27 Nov 2006 22:44:07 +0100
>
> > In net/key/af_key.c::pfkey_send_policy_notify() there's a check at the
> > beginning of the function :
> >
> >     if (xp && xp->type != XFRM_POLICY_TYPE_MAIN)
> >
> > this implies that 'xp' may be null when the function is called. But later
> > on in the function we have this code :
> >
> >     return key_notify_policy(xp, dir, c);
> >
> > key_notify_policy() passes 'xp' to pfkey_xfrm_policy2msg_prep() that pass
> > it on to pfkey_xfrm_policy2msg_size() which dereferences it.
> > key_notify_policy() also passes 'xp' to pfkey_xfrm_policy2msg() which
> > also dereferences it.
> >
> > So, in pfkey_send_policy_notify() in the cases where we end up calling
> > key_notify_policy(), we should test 'xp' for NULL.
> >
> > (note: patch is compile tested only)
> >
> >
> > Signed-off-by: Jesper Juhl <jesper.juhl@xxxxxxxxx>
>
> We really need to teach your automated tool about context.
>
> The NULL case can only occur for XFRM_MSG_FLUSHPOLICY.
>
> Look at the km_policy_notify() call sites.  You can even see from the
> net/xfrm/xfrm_user.c:xfrm_send_policy_notify() implementation of this
> callback that for XFRM_MSG_FLUSHPOLICY the "xp" argument is ignored.
Arrgh, you are right. I really need to check call sites more carefully :(

--
Jesper Juhl <jesper.juhl@xxxxxxxxx>
Don't top-post  http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please      http://www.expita.com/nomime.html
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/