diff options
author | Neil Horman <nhorman@tuxdriver.com> | 2008-09-09 16:51:35 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-09-09 16:51:35 -0400 |
commit | e550dfb0c2c31b6363aa463a035fc9f8dcaa3c9b (patch) | |
tree | 66f11aed70a892a3768d3e0f5100cd4c1c7b6b1e /net | |
parent | 225f40055f779032974a9fce7b2f9c9eda04ff58 (diff) |
ipv6: Fix OOPS in ip6_dst_lookup_tail().
This fixes kernel bugzilla 11469: "TUN with 1024 neighbours:
ip6_dst_lookup_tail NULL crash"
dst->neighbour is not necessarily hooked up at this point
in the processing path, so blindly dereferencing it is
the wrong thing to do. This NULL check exists in other
similar paths and this case was just an oversight.
Also fix the completely wrong and confusing indentation
here while we're at it.
Based upon a patch by Evgeniy Polyakov.
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/ipv6/ip6_output.c | 64 |
1 files changed, 32 insertions, 32 deletions
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 0e844c2736a7..3df2c442d90b 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c | |||
@@ -943,39 +943,39 @@ static int ip6_dst_lookup_tail(struct sock *sk, | |||
943 | } | 943 | } |
944 | 944 | ||
945 | #ifdef CONFIG_IPV6_OPTIMISTIC_DAD | 945 | #ifdef CONFIG_IPV6_OPTIMISTIC_DAD |
946 | /* | 946 | /* |
947 | * Here if the dst entry we've looked up | 947 | * Here if the dst entry we've looked up |
948 | * has a neighbour entry that is in the INCOMPLETE | 948 | * has a neighbour entry that is in the INCOMPLETE |
949 | * state and the src address from the flow is | 949 | * state and the src address from the flow is |
950 | * marked as OPTIMISTIC, we release the found | 950 | * marked as OPTIMISTIC, we release the found |
951 | * dst entry and replace it instead with the | 951 | * dst entry and replace it instead with the |
952 | * dst entry of the nexthop router | 952 | * dst entry of the nexthop router |
953 | */ | 953 | */ |
954 | if (!((*dst)->neighbour->nud_state & NUD_VALID)) { | 954 | if ((*dst)->neighbour && !((*dst)->neighbour->nud_state & NUD_VALID)) { |
955 | struct inet6_ifaddr *ifp; | 955 | struct inet6_ifaddr *ifp; |
956 | struct flowi fl_gw; | 956 | struct flowi fl_gw; |
957 | int redirect; | 957 | int redirect; |
958 | 958 | ||
959 | ifp = ipv6_get_ifaddr(net, &fl->fl6_src, | 959 | ifp = ipv6_get_ifaddr(net, &fl->fl6_src, |
960 | (*dst)->dev, 1); | 960 | (*dst)->dev, 1); |
961 | 961 | ||
962 | redirect = (ifp && ifp->flags & IFA_F_OPTIMISTIC); | 962 | redirect = (ifp && ifp->flags & IFA_F_OPTIMISTIC); |
963 | if (ifp) | 963 | if (ifp) |
964 | in6_ifa_put(ifp); | 964 | in6_ifa_put(ifp); |
965 | 965 | ||
966 | if (redirect) { | 966 | if (redirect) { |
967 | /* | 967 | /* |
968 | * We need to get the dst entry for the | 968 | * We need to get the dst entry for the |
969 | * default router instead | 969 | * default router instead |
970 | */ | 970 | */ |
971 | dst_release(*dst); | 971 | dst_release(*dst); |
972 | memcpy(&fl_gw, fl, sizeof(struct flowi)); | 972 | memcpy(&fl_gw, fl, sizeof(struct flowi)); |
973 | memset(&fl_gw.fl6_dst, 0, sizeof(struct in6_addr)); | 973 | memset(&fl_gw.fl6_dst, 0, sizeof(struct in6_addr)); |
974 | *dst = ip6_route_output(net, sk, &fl_gw); | 974 | *dst = ip6_route_output(net, sk, &fl_gw); |
975 | if ((err = (*dst)->error)) | 975 | if ((err = (*dst)->error)) |
976 | goto out_err_release; | 976 | goto out_err_release; |
977 | } | ||
978 | } | 977 | } |
978 | } | ||
979 | #endif | 979 | #endif |
980 | 980 | ||
981 | return 0; | 981 | return 0; |