aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Dumazet <eric.dumazet@gmail.com>2010-10-04 18:42:08 -0400
committerDavid S. Miller <davem@davemloft.net>2010-10-05 23:35:53 -0400
commit79315068f4560f3f7bd6e9790190dcb43059770c (patch)
treeda41cf961fd143ba9365fcb18a657dba904e617f
parent27e6f065df132b5270014d3285889b15185e9da9 (diff)
caif: fix two caif_connect() bugs
caif_connect() might dereference a netdevice after dev_put() it. It also doesnt check dev_get_by_index() return value and could dereference a NULL pointer. Fix it, using RCU to avoid taking a reference. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> CC: Sjur Braendeland <sjur.brandeland@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/caif/caif_socket.c21
1 files changed, 15 insertions, 6 deletions
diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index 8ce904786116..4bf28f25f368 100644
--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -827,6 +827,7 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr,
827 long timeo; 827 long timeo;
828 int err; 828 int err;
829 int ifindex, headroom, tailroom; 829 int ifindex, headroom, tailroom;
830 unsigned int mtu;
830 struct net_device *dev; 831 struct net_device *dev;
831 832
832 lock_sock(sk); 833 lock_sock(sk);
@@ -896,15 +897,23 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr,
896 cf_sk->sk.sk_state = CAIF_DISCONNECTED; 897 cf_sk->sk.sk_state = CAIF_DISCONNECTED;
897 goto out; 898 goto out;
898 } 899 }
899 dev = dev_get_by_index(sock_net(sk), ifindex); 900
901 err = -ENODEV;
902 rcu_read_lock();
903 dev = dev_get_by_index_rcu(sock_net(sk), ifindex);
904 if (!dev) {
905 rcu_read_unlock();
906 goto out;
907 }
900 cf_sk->headroom = LL_RESERVED_SPACE_EXTRA(dev, headroom); 908 cf_sk->headroom = LL_RESERVED_SPACE_EXTRA(dev, headroom);
909 mtu = dev->mtu;
910 rcu_read_unlock();
911
901 cf_sk->tailroom = tailroom; 912 cf_sk->tailroom = tailroom;
902 cf_sk->maxframe = dev->mtu - (headroom + tailroom); 913 cf_sk->maxframe = mtu - (headroom + tailroom);
903 dev_put(dev);
904 if (cf_sk->maxframe < 1) { 914 if (cf_sk->maxframe < 1) {
905 pr_warning("CAIF: %s(): CAIF Interface MTU too small (%d)\n", 915 pr_warning("CAIF: %s(): CAIF Interface MTU too small (%u)\n",
906 __func__, dev->mtu); 916 __func__, mtu);
907 err = -ENODEV;
908 goto out; 917 goto out;
909 } 918 }
910 919