aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv4
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2010-04-15 07:29:28 -0400
committerPatrick McHardy <kaber@trash.net>2010-04-15 07:31:29 -0400
commit8de53dfbf9a0a0f7538c005137059c5c021476e1 (patch)
tree51fbba0b36a24feac02fa76d4deaecfcdece7c7f /net/ipv4
parentb0ebb739a8f68039f03e80b3476b204fe5adf0d7 (diff)
ipv4: ipmr: fix NULL pointer deref during unres queue destruction
Fix an oversight in ipmr_destroy_unres() - the net pointer is unconditionally initialized to NULL, resulting in a NULL pointer dereference later on. Fix by adding a net pointer to struct mr_table and using it in ipmr_destroy_unres(). Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net/ipv4')
-rw-r--r--net/ipv4/ipmr.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 0643fb6d47c..7d8a2bcecb7 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -71,6 +71,9 @@
71 71
72struct mr_table { 72struct mr_table {
73 struct list_head list; 73 struct list_head list;
74#ifdef CONFIG_NET_NS
75 struct net *net;
76#endif
74 u32 id; 77 u32 id;
75 struct sock *mroute_sk; 78 struct sock *mroute_sk;
76 struct timer_list ipmr_expire_timer; 79 struct timer_list ipmr_expire_timer;
@@ -308,6 +311,7 @@ static struct mr_table *ipmr_new_table(struct net *net, u32 id)
308 mrt = kzalloc(sizeof(*mrt), GFP_KERNEL); 311 mrt = kzalloc(sizeof(*mrt), GFP_KERNEL);
309 if (mrt == NULL) 312 if (mrt == NULL)
310 return NULL; 313 return NULL;
314 write_pnet(&mrt->net, net);
311 mrt->id = id; 315 mrt->id = id;
312 316
313 /* Forwarding cache */ 317 /* Forwarding cache */
@@ -580,7 +584,7 @@ static inline void ipmr_cache_free(struct mfc_cache *c)
580 584
581static void ipmr_destroy_unres(struct mr_table *mrt, struct mfc_cache *c) 585static void ipmr_destroy_unres(struct mr_table *mrt, struct mfc_cache *c)
582{ 586{
583 struct net *net = NULL; //mrt->net; 587 struct net *net = read_pnet(&mrt->net);
584 struct sk_buff *skb; 588 struct sk_buff *skb;
585 struct nlmsgerr *e; 589 struct nlmsgerr *e;
586 590