Re: [PATCH] decnet: fix possible NULL deref in dnet_select_source()
From: David Miller
Date: Mon Apr 07 2014 - 15:19:08 EST
From: Eric Dumazet <eric.dumazet@xxxxxxxxx>
Date: Sun, 06 Apr 2014 14:59:14 -0700
> From: Eric Dumazet <edumazet@xxxxxxxxxx>
>
> dnet_select_source() should make sure dn_ptr is not NULL.
>
> While looking at this decnet code, I believe I found a device
> reference leak, lets fix it as well.
>
> Reported-by: Sasha Levin <sasha.levin@xxxxxxxxxx>
> Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
> ---
> It seems this bug is very old, no recent change is involved.
The callers work hard to ensure this.
Analyzing all call sites:
1) __dn_fib_res_prefsrc() uses the FIB entry device pointer, we should not
be adding FIB entries pointing to devices which do not have their
decnet private initialized yet.
2) dn_route_output_slow()
The paths leading to the dnet_select_address() call(s) check if
dev_out->dn_ptr is not NULL, except when using loopback.
In some other paths the device comes from neigh->dev, from which the
'neigh' was looked up in dn_neigh_table. There should not be neighbour
entries in this table pointing to devices which do not have their
decnet private setup yet.
And in the loopback case, it is the decnet stack's responsibility to
make sure ->dn_ptr is setup properly, else it should fail the module
load and stack initialization.
I think there is some core fundamental issue here, and just adding
a NULL check to dnet_select_source() is just papering around the issue.
Please look closer at the stack trace, this code, and my analysis
above to figure out what's really going on so we can fix this properly.
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/