aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2006-12-05 16:46:13 -0500
committerDavid S. Miller <davem@sunset.davemloft.net>2006-12-06 21:39:07 -0500
commit5c804bfdcca2593422dd6edc2d7db4dba645543c (patch)
treeb8b0993a2855372b037f6bbef2f4b67908b16ce8
parentf216f082b2b37c4943f1e7c393e2786648d48f6f (diff)
[NET_SCHED]: cls_fw: fix NULL pointer dereference
When the first fw classifier is initialized, there is a small window between the ->init() and ->change() calls, during which the classifier is active but not entirely set up and tp->root is still NULL (->init() does nothing). When a packet is queued during this window a NULL pointer dereference occurs in fw_classify() when trying to dereference head->mask; Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/sched/cls_fw.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
index f59a2c4aa039..c797d6ada7de 100644
--- a/net/sched/cls_fw.c
+++ b/net/sched/cls_fw.c
@@ -101,9 +101,10 @@ static int fw_classify(struct sk_buff *skb, struct tcf_proto *tp,
101 struct fw_head *head = (struct fw_head*)tp->root; 101 struct fw_head *head = (struct fw_head*)tp->root;
102 struct fw_filter *f; 102 struct fw_filter *f;
103 int r; 103 int r;
104 u32 id = skb->mark & head->mask; 104 u32 id = skb->mark;
105 105
106 if (head != NULL) { 106 if (head != NULL) {
107 id &= head->mask;
107 for (f=head->ht[fw_hash(id)]; f; f=f->next) { 108 for (f=head->ht[fw_hash(id)]; f; f=f->next) {
108 if (f->id == id) { 109 if (f->id == id) {
109 *res = f->res; 110 *res = f->res;