aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNeil Horman <nhorman@tuxdriver.com>2008-09-09 16:51:35 -0400
committerDavid S. Miller <davem@davemloft.net>2008-09-09 16:51:35 -0400
commite550dfb0c2c31b6363aa463a035fc9f8dcaa3c9b (patch)
tree66f11aed70a892a3768d3e0f5100cd4c1c7b6b1e
parent225f40055f779032974a9fce7b2f9c9eda04ff58 (diff)
ipv6: Fix OOPS in ip6_dst_lookup_tail().
This fixes kernel bugzilla 11469: "TUN with 1024 neighbours: ip6_dst_lookup_tail NULL crash" dst->neighbour is not necessarily hooked up at this point in the processing path, so blindly dereferencing it is the wrong thing to do. This NULL check exists in other similar paths and this case was just an oversight. Also fix the completely wrong and confusing indentation here while we're at it. Based upon a patch by Evgeniy Polyakov. Signed-off-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv6/ip6_output.c64
1 files changed, 32 insertions, 32 deletions
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 0e844c2736a7..3df2c442d90b 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -943,39 +943,39 @@ static int ip6_dst_lookup_tail(struct sock *sk,
943 } 943 }
944 944
945#ifdef CONFIG_IPV6_OPTIMISTIC_DAD 945#ifdef CONFIG_IPV6_OPTIMISTIC_DAD
946 /* 946 /*
947 * Here if the dst entry we've looked up 947 * Here if the dst entry we've looked up
948 * has a neighbour entry that is in the INCOMPLETE 948 * has a neighbour entry that is in the INCOMPLETE
949 * state and the src address from the flow is 949 * state and the src address from the flow is
950 * marked as OPTIMISTIC, we release the found 950 * marked as OPTIMISTIC, we release the found
951 * dst entry and replace it instead with the 951 * dst entry and replace it instead with the
952 * dst entry of the nexthop router 952 * dst entry of the nexthop router
953 */ 953 */
954 if (!((*dst)->neighbour->nud_state & NUD_VALID)) { 954 if ((*dst)->neighbour && !((*dst)->neighbour->nud_state & NUD_VALID)) {
955 struct inet6_ifaddr *ifp; 955 struct inet6_ifaddr *ifp;
956 struct flowi fl_gw; 956 struct flowi fl_gw;
957 int redirect; 957 int redirect;
958 958
959 ifp = ipv6_get_ifaddr(net, &fl->fl6_src, 959 ifp = ipv6_get_ifaddr(net, &fl->fl6_src,
960 (*dst)->dev, 1); 960 (*dst)->dev, 1);
961 961
962 redirect = (ifp && ifp->flags & IFA_F_OPTIMISTIC); 962 redirect = (ifp && ifp->flags & IFA_F_OPTIMISTIC);
963 if (ifp) 963 if (ifp)
964 in6_ifa_put(ifp); 964 in6_ifa_put(ifp);
965 965
966 if (redirect) { 966 if (redirect) {
967 /* 967 /*
968 * We need to get the dst entry for the 968 * We need to get the dst entry for the
969 * default router instead 969 * default router instead
970 */ 970 */
971 dst_release(*dst); 971 dst_release(*dst);
972 memcpy(&fl_gw, fl, sizeof(struct flowi)); 972 memcpy(&fl_gw, fl, sizeof(struct flowi));
973 memset(&fl_gw.fl6_dst, 0, sizeof(struct in6_addr)); 973 memset(&fl_gw.fl6_dst, 0, sizeof(struct in6_addr));
974 *dst = ip6_route_output(net, sk, &fl_gw); 974 *dst = ip6_route_output(net, sk, &fl_gw);
975 if ((err = (*dst)->error)) 975 if ((err = (*dst)->error))
976 goto out_err_release; 976 goto out_err_release;
977 }
978 } 977 }
978 }
979#endif 979#endif
980 980
981 return 0; 981 return 0;