diff options
| author | Mariusz Kozlowski <m.kozlowski@tuxland.pl> | 2009-07-05 15:48:35 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2009-07-06 15:47:07 -0400 |
| commit | 3c8a9c63d5fd738c261bd0ceece04d9c8357ca13 (patch) | |
| tree | 7c60ab7e391f73ffcbcb98613ee454f843d7b3d1 | |
| parent | 1ded3f59f35a2642852b3e2a1c0fa8a97777e9af (diff) | |
tun/tap: Fix crashes if open() /dev/net/tun and then poll() it.
Fix NULL pointer dereference in tun_chr_pool() introduced by commit
33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 ("tun: Limit amount of queued
packets per device") and triggered by this code:
int fd;
struct pollfd pfd;
fd = open("/dev/net/tun", O_RDWR);
pfd.fd = fd;
pfd.events = POLLIN | POLLOUT;
poll(&pfd, 1, 0);
Reported-by: Eugene Kapun <abacabadabacaba@gmail.com>
Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | drivers/net/tun.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/net/tun.c b/drivers/net/tun.c index b393536012fb..027f7aba26af 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c | |||
| @@ -486,12 +486,14 @@ static unsigned int tun_chr_poll(struct file *file, poll_table * wait) | |||
| 486 | { | 486 | { |
| 487 | struct tun_file *tfile = file->private_data; | 487 | struct tun_file *tfile = file->private_data; |
| 488 | struct tun_struct *tun = __tun_get(tfile); | 488 | struct tun_struct *tun = __tun_get(tfile); |
| 489 | struct sock *sk = tun->sk; | 489 | struct sock *sk; |
| 490 | unsigned int mask = 0; | 490 | unsigned int mask = 0; |
| 491 | 491 | ||
| 492 | if (!tun) | 492 | if (!tun) |
| 493 | return POLLERR; | 493 | return POLLERR; |
| 494 | 494 | ||
| 495 | sk = tun->sk; | ||
| 496 | |||
| 495 | DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name); | 497 | DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name); |
| 496 | 498 | ||
| 497 | poll_wait(file, &tun->socket.wait, wait); | 499 | poll_wait(file, &tun->socket.wait, wait); |