diff options
author | Tony Cheneau <tony.cheneau@amnesiak.org> | 2012-07-11 02:51:14 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2012-07-17 01:51:15 -0400 |
commit | d4787a15432384826a0bed42d189fc2a97dc73ea (patch) | |
tree | 211b8183a67dd12d817146265485a597a4f85942 /net/ieee802154 | |
parent | 6e5928f6dfd92a47c489bb735c4cb8bbb62038e0 (diff) |
6lowpan: Fix null pointer dereference in UDP uncompression function
When a UDP packet gets fragmented, a crash will occur at reassembly time.
This is because skb->transport_header is not set during earlier period of fragment reassembly.
As a consequence, call to udp_hdr() return NULL and uh (which is NULL) gets
dereferenced without much test.
Signed-off-by: Tony Cheneau <tony.cheneau@amnesiak.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ieee802154')
-rw-r--r-- | net/ieee802154/6lowpan.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c index 6871ec1b30f8..416a54d31fb2 100644 --- a/net/ieee802154/6lowpan.c +++ b/net/ieee802154/6lowpan.c | |||
@@ -314,6 +314,9 @@ lowpan_uncompress_udp_header(struct sk_buff *skb) | |||
314 | struct udphdr *uh = udp_hdr(skb); | 314 | struct udphdr *uh = udp_hdr(skb); |
315 | u8 tmp; | 315 | u8 tmp; |
316 | 316 | ||
317 | if (!uh) | ||
318 | goto err; | ||
319 | |||
317 | if (lowpan_fetch_skb_u8(skb, &tmp)) | 320 | if (lowpan_fetch_skb_u8(skb, &tmp)) |
318 | goto err; | 321 | goto err; |
319 | 322 | ||