diff options
author | Eric Dumazet <eric.dumazet@gmail.com> | 2010-10-04 18:42:08 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-10-05 23:35:53 -0400 |
commit | 79315068f4560f3f7bd6e9790190dcb43059770c (patch) | |
tree | da41cf961fd143ba9365fcb18a657dba904e617f | |
parent | 27e6f065df132b5270014d3285889b15185e9da9 (diff) |
caif: fix two caif_connect() bugs
caif_connect() might dereference a netdevice after dev_put() it.
It also doesnt check dev_get_by_index() return value and could
dereference a NULL pointer.
Fix it, using RCU to avoid taking a reference.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: Sjur Braendeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/caif/caif_socket.c | 21 |
1 files changed, 15 insertions, 6 deletions
diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c index 8ce904786116..4bf28f25f368 100644 --- a/net/caif/caif_socket.c +++ b/net/caif/caif_socket.c | |||
@@ -827,6 +827,7 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr, | |||
827 | long timeo; | 827 | long timeo; |
828 | int err; | 828 | int err; |
829 | int ifindex, headroom, tailroom; | 829 | int ifindex, headroom, tailroom; |
830 | unsigned int mtu; | ||
830 | struct net_device *dev; | 831 | struct net_device *dev; |
831 | 832 | ||
832 | lock_sock(sk); | 833 | lock_sock(sk); |
@@ -896,15 +897,23 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr, | |||
896 | cf_sk->sk.sk_state = CAIF_DISCONNECTED; | 897 | cf_sk->sk.sk_state = CAIF_DISCONNECTED; |
897 | goto out; | 898 | goto out; |
898 | } | 899 | } |
899 | dev = dev_get_by_index(sock_net(sk), ifindex); | 900 | |
901 | err = -ENODEV; | ||
902 | rcu_read_lock(); | ||
903 | dev = dev_get_by_index_rcu(sock_net(sk), ifindex); | ||
904 | if (!dev) { | ||
905 | rcu_read_unlock(); | ||
906 | goto out; | ||
907 | } | ||
900 | cf_sk->headroom = LL_RESERVED_SPACE_EXTRA(dev, headroom); | 908 | cf_sk->headroom = LL_RESERVED_SPACE_EXTRA(dev, headroom); |
909 | mtu = dev->mtu; | ||
910 | rcu_read_unlock(); | ||
911 | |||
901 | cf_sk->tailroom = tailroom; | 912 | cf_sk->tailroom = tailroom; |
902 | cf_sk->maxframe = dev->mtu - (headroom + tailroom); | 913 | cf_sk->maxframe = mtu - (headroom + tailroom); |
903 | dev_put(dev); | ||
904 | if (cf_sk->maxframe < 1) { | 914 | if (cf_sk->maxframe < 1) { |
905 | pr_warning("CAIF: %s(): CAIF Interface MTU too small (%d)\n", | 915 | pr_warning("CAIF: %s(): CAIF Interface MTU too small (%u)\n", |
906 | __func__, dev->mtu); | 916 | __func__, mtu); |
907 | err = -ENODEV; | ||
908 | goto out; | 917 | goto out; |
909 | } | 918 | } |
910 | 919 | ||