potential null pointer dereference in ip6_xmit
From: Colin Ian King
Date: Fri Sep 17 2021 - 12:41:58 EST
Hi,
Static analysis with Coverity detected a potential null pointer
deference in ip6_xmit, net/ipv6/ip6_output.c, I believe it may have been
introduced by the following commit:
commit 513674b5a2c9c7a67501506419da5c3c77ac6f08
Author: Shaohua Li <shli@xxxxxx>
Date: Wed Dec 20 12:10:21 2017 -0800
net: reevalulate autoflowlabel setting after sysctl setting
The analysis is as follows:
239 /*
240 * xmit an sk_buff (used by TCP, SCTP and DCCP)
241 * Note : socket lock is not held for SYNACK packets, but might be
modified
242 * by calls to skb_set_owner_w() and ipv6_local_error(),
243 * which are using proper atomic operations or spinlocks.
244 */
245 int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct
flowi6 *fl6,
246 __u32 mark, struct ipv6_txoptions *opt, int tclass, u32
priority)
247 {
248 struct net *net = sock_net(sk);
249 const struct ipv6_pinfo *np = inet6_sk(sk);
250 struct in6_addr *first_hop = &fl6->daddr;
251 struct dst_entry *dst = skb_dst(skb);
252 struct net_device *dev = dst->dev;
253 struct inet6_dev *idev = ip6_dst_idev(dst);
254 unsigned int head_room;
255 struct ipv6hdr *hdr;
256 u8 proto = fl6->flowi6_proto;
257 int seg_len = skb->len;
258 int hlimit = -1;
259 u32 mtu;
260
261 head_room = sizeof(struct ipv6hdr) + LL_RESERVED_SPACE(dev);
1. Condition opt, taking true branch.
262 if (opt)
263 head_room += opt->opt_nflen + opt->opt_flen;
264
2. Condition !!(head_room > skb_headroom(skb)), taking true branch.
265 if (unlikely(head_room > skb_headroom(skb))) {
266 skb = skb_expand_head(skb, head_room);
3. Condition !skb, taking false branch.
267 if (!skb) {
268 IP6_INC_STATS(net, idev,
IPSTATS_MIB_OUTDISCARDS);
269 return -ENOBUFS;
270 }
271 }
272
4. Condition opt, taking true branch.
273 if (opt) {
274 seg_len += opt->opt_nflen + opt->opt_flen;
275
5. Condition opt->opt_flen, taking true branch.
276 if (opt->opt_flen)
277 ipv6_push_frag_opts(skb, opt, &proto);
278
6. Condition opt->opt_nflen, taking true branch.
279 if (opt->opt_nflen)
280 ipv6_push_nfrag_opts(skb, opt, &proto,
&first_hop,
281 &fl6->saddr);
282 }
283
284 skb_push(skb, sizeof(struct ipv6hdr));
285 skb_reset_network_header(skb);
286 hdr = ipv6_hdr(skb);
287
288 /*
289 * Fill in the IPv6 header
290 */
7. Condition np, taking false branch.
8. var_compare_op: Comparing np to null implies that np might be null.
291 if (np)
292 hlimit = np->hop_limit;
9. Condition hlimit < 0, taking true branch.
293 if (hlimit < 0)
294 hlimit = ip6_dst_hoplimit(dst);
295
Dereference after null check (FORWARD_NULL)10. var_deref_model:
Passing null pointer np to ip6_autoflowlabel, which dereferences it.
296 ip6_flow_hdr(hdr, tclass, ip6_make_flowlabel(net, skb,
fl6->flowlabel,
297 ip6_autoflowlabel(net, np), fl6));
298
There is a null check on np on line 291, so potentially np could be null
on the call on line 296 where a null is passed to the function
ip6_autoflowlabel that dereferences the null np.
Colin