diff options
| author | Eric Dumazet <edumazet@google.com> | 2012-08-09 22:22:47 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2012-08-10 17:08:57 -0400 |
| commit | b5ec8eeac46a99004c26791f70b15d001e970acf (patch) | |
| tree | 8609d6c3e5e9504e6f084828b9b0f8a9084652e3 | |
| parent | 63d02d157ec4124990258d66517b6c11fd6df0cf (diff) | |
ipv4: fix ip_send_skb()
ip_send_skb() can send orphaned skb, so we must pass the net pointer to
avoid possible NULL dereference in error path.
Bug added by commit 3a7c384ffd57 (ipv4: tcp: unicast_sock should not
land outside of TCP stack)
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | include/net/ip.h | 2 | ||||
| -rw-r--r-- | net/ipv4/ip_output.c | 5 | ||||
| -rw-r--r-- | net/ipv4/udp.c | 2 |
3 files changed, 4 insertions, 5 deletions
diff --git a/include/net/ip.h b/include/net/ip.h index bd5e444a19ce..5a5d84d3d2c6 100644 --- a/include/net/ip.h +++ b/include/net/ip.h | |||
| @@ -120,7 +120,7 @@ extern struct sk_buff *__ip_make_skb(struct sock *sk, | |||
| 120 | struct flowi4 *fl4, | 120 | struct flowi4 *fl4, |
| 121 | struct sk_buff_head *queue, | 121 | struct sk_buff_head *queue, |
| 122 | struct inet_cork *cork); | 122 | struct inet_cork *cork); |
| 123 | extern int ip_send_skb(struct sk_buff *skb); | 123 | extern int ip_send_skb(struct net *net, struct sk_buff *skb); |
| 124 | extern int ip_push_pending_frames(struct sock *sk, struct flowi4 *fl4); | 124 | extern int ip_push_pending_frames(struct sock *sk, struct flowi4 *fl4); |
| 125 | extern void ip_flush_pending_frames(struct sock *sk); | 125 | extern void ip_flush_pending_frames(struct sock *sk); |
| 126 | extern struct sk_buff *ip_make_skb(struct sock *sk, | 126 | extern struct sk_buff *ip_make_skb(struct sock *sk, |
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index ec410e08b4b9..147ccc3e93db 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c | |||
| @@ -1366,9 +1366,8 @@ out: | |||
| 1366 | return skb; | 1366 | return skb; |
| 1367 | } | 1367 | } |
| 1368 | 1368 | ||
| 1369 | int ip_send_skb(struct sk_buff *skb) | 1369 | int ip_send_skb(struct net *net, struct sk_buff *skb) |
| 1370 | { | 1370 | { |
| 1371 | struct net *net = sock_net(skb->sk); | ||
| 1372 | int err; | 1371 | int err; |
| 1373 | 1372 | ||
| 1374 | err = ip_local_out(skb); | 1373 | err = ip_local_out(skb); |
| @@ -1391,7 +1390,7 @@ int ip_push_pending_frames(struct sock *sk, struct flowi4 *fl4) | |||
| 1391 | return 0; | 1390 | return 0; |
| 1392 | 1391 | ||
| 1393 | /* Netfilter gets whole the not fragmented skb. */ | 1392 | /* Netfilter gets whole the not fragmented skb. */ |
| 1394 | return ip_send_skb(skb); | 1393 | return ip_send_skb(sock_net(sk), skb); |
| 1395 | } | 1394 | } |
| 1396 | 1395 | ||
| 1397 | /* | 1396 | /* |
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index b4c3582a991f..6f6d1aca3c3d 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c | |||
| @@ -758,7 +758,7 @@ static int udp_send_skb(struct sk_buff *skb, struct flowi4 *fl4) | |||
| 758 | uh->check = CSUM_MANGLED_0; | 758 | uh->check = CSUM_MANGLED_0; |
| 759 | 759 | ||
| 760 | send: | 760 | send: |
| 761 | err = ip_send_skb(skb); | 761 | err = ip_send_skb(sock_net(sk), skb); |
| 762 | if (err) { | 762 | if (err) { |
| 763 | if (err == -ENOBUFS && !inet->recverr) { | 763 | if (err == -ENOBUFS && !inet->recverr) { |
| 764 | UDP_INC_STATS_USER(sock_net(sk), | 764 | UDP_INC_STATS_USER(sock_net(sk), |