[SCTP]: Fix NULL dereference of asoc.

Commit 7cbca67c073263c179f605bdbbdc565ab29d801d ("[IPV6]: Support
Source Address Selection API (RFC5014)") introduced NULL dereference
of asoc to sctp_v6_get_saddr in net/sctp/ipv6.c.
Pointed out by Johann Felix Soden <johfel@users.sourceforge.net>.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>

4 files changed, 8 insertions, 5 deletions

diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 0ce0443c5b79..917d425f0542 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -548,7 +548,8 @@ struct sctp_af {
         struct dst_entry *(*get_dst)    (struct sctp_association *asoc,
                                          union sctp_addr *daddr,
                                          union sctp_addr *saddr);
-        void            (*get_saddr)    (struct sctp_association *asoc,
+        void            (*get_saddr)    (struct sctp_sock *sk,
+                                         struct sctp_association *asoc,
                                          struct dst_entry *dst,
                                          union sctp_addr *daddr,
                                          union sctp_addr *saddr);
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index e45e44c60635..e4aac3266fcd 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -299,7 +299,8 @@ static inline int sctp_v6_addr_match_len(union sctp_addr *s1,
 /* Fills in the source address(saddr) based on the destination address(daddr)
  * and asoc's bind address list.
  */
-static void sctp_v6_get_saddr(struct sctp_association *asoc,
+static void sctp_v6_get_saddr(struct sctp_sock *sk,
+                              struct sctp_association *asoc,
                               struct dst_entry *dst,
                               union sctp_addr *daddr,
                               union sctp_addr *saddr)
@@ -318,7 +319,7 @@ static void sctp_v6_get_saddr(struct sctp_association *asoc,
         if (!asoc) {
                 ipv6_dev_get_saddr(dst ? ip6_dst_idev(dst)->dev : NULL,
                                    &daddr->v6.sin6_addr,
-                                   inet6_sk(asoc->base.sk)->srcprefs,
+                                   inet6_sk(&sk->inet.sk)->srcprefs,
                                    &saddr->v6.sin6_addr);
                 SCTP_DEBUG_PRINTK("saddr from ipv6_get_saddr: " NIP6_FMT "\n",
                                   NIP6(saddr->v6.sin6_addr));
diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
index 0ec234b762c2..13ee7fa92e07 100644
--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -519,7 +519,8 @@ out:
 /* For v4, the source address is cached in the route entry(dst). So no need
  * to cache it separately and hence this is an empty routine.
  */
-static void sctp_v4_get_saddr(struct sctp_association *asoc,
+static void sctp_v4_get_saddr(struct sctp_sock *sk,
+                              struct sctp_association *asoc,
                               struct dst_entry *dst,
                               union sctp_addr *daddr,
                               union sctp_addr *saddr)
diff --git a/net/sctp/transport.c b/net/sctp/transport.c
index f4938f6c5abe..62082e7b7972 100644
--- a/net/sctp/transport.c
+++ b/net/sctp/transport.c
@@ -291,7 +291,7 @@ void sctp_transport_route(struct sctp_transport *transport,
         if (saddr)
                 memcpy(&transport->saddr, saddr, sizeof(union sctp_addr));
         else
-                af->get_saddr(asoc, dst, daddr, &transport->saddr);
+                af->get_saddr(opt, asoc, dst, daddr, &transport->saddr);
 
         transport->dst = dst;
         if ((transport->param_flags & SPP_PMTUD_DISABLE) && transport->pathmtu) {