diff options
| author | Patrick McHardy <kaber@trash.net> | 2006-12-05 16:46:13 -0500 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2006-12-06 21:39:07 -0500 |
| commit | 5c804bfdcca2593422dd6edc2d7db4dba645543c (patch) | |
| tree | b8b0993a2855372b037f6bbef2f4b67908b16ce8 /net/sched | |
| parent | f216f082b2b37c4943f1e7c393e2786648d48f6f (diff) | |
[NET_SCHED]: cls_fw: fix NULL pointer dereference
When the first fw classifier is initialized, there is a small window
between the ->init() and ->change() calls, during which the classifier
is active but not entirely set up and tp->root is still NULL (->init()
does nothing).
When a packet is queued during this window a NULL pointer dereference
occurs in fw_classify() when trying to dereference head->mask;
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/sched')
| -rw-r--r-- | net/sched/cls_fw.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c index f59a2c4aa039..c797d6ada7de 100644 --- a/net/sched/cls_fw.c +++ b/net/sched/cls_fw.c | |||
| @@ -101,9 +101,10 @@ static int fw_classify(struct sk_buff *skb, struct tcf_proto *tp, | |||
| 101 | struct fw_head *head = (struct fw_head*)tp->root; | 101 | struct fw_head *head = (struct fw_head*)tp->root; |
| 102 | struct fw_filter *f; | 102 | struct fw_filter *f; |
| 103 | int r; | 103 | int r; |
| 104 | u32 id = skb->mark & head->mask; | 104 | u32 id = skb->mark; |
| 105 | 105 | ||
| 106 | if (head != NULL) { | 106 | if (head != NULL) { |
| 107 | id &= head->mask; | ||
| 107 | for (f=head->ht[fw_hash(id)]; f; f=f->next) { | 108 | for (f=head->ht[fw_hash(id)]; f; f=f->next) { |
| 108 | if (f->id == id) { | 109 | if (f->id == id) { |
| 109 | *res = f->res; | 110 | *res = f->res; |