Re: [PATCH v2] flow_dissector: prevent NULL pointer dereference in __skb_flow_dissect

From: Denis Kirjanov
Date: Thu Mar 21 2024 - 08:52:36 EST




On 3/21/24 15:34, Anastasia Belova wrote:
> skb is an optional parameter, so it may be NULL.
> Add check defore dereference in eth_hdr.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 690e36e726d0 ("net: Allow raw buffers to be passed into the flow dissector.")
> Signed-off-by: Anastasia Belova <abelova@xxxxxxxxxxxxx>

As request in the previous email please show the actual data flow that leads to a null pointer
dereference.
Also please read function description:
..
* @skb: sk_buff to extract the flow from, can be NULL if the rest are specified
..

> ---
> net/core/flow_dissector.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
> index 272f09251343..68a8228ffae3 100644
> --- a/net/core/flow_dissector.c
> +++ b/net/core/flow_dissector.c
> @@ -1139,6 +1139,8 @@ bool __skb_flow_dissect(const struct net *net,
>
> if (dissector_uses_key(flow_dissector,
> FLOW_DISSECTOR_KEY_ETH_ADDRS)) {
> + if (!skb)
> + goto out_bad;
> struct ethhdr *eth = eth_hdr(skb);
> struct flow_dissector_key_eth_addrs *key_eth_addrs;
>