aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorYOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>2008-05-29 06:55:05 -0400
committerYOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>2008-06-04 15:02:30 -0400
commite51171019bb0e1f9fb57c25bd2e38ce652eaea27 (patch)
tree6adf7c9e23c54de5a2b361c8e59d692a29e7541e /net
parent7dccf1f4e1696c79bff064c3770867cc53cbc71c (diff)
[SCTP]: Fix NULL dereference of asoc.
Commit 7cbca67c073263c179f605bdbbdc565ab29d801d ("[IPV6]: Support Source Address Selection API (RFC5014)") introduced NULL dereference of asoc to sctp_v6_get_saddr in net/sctp/ipv6.c. Pointed out by Johann Felix Soden <johfel@users.sourceforge.net>. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Diffstat (limited to 'net')
-rw-r--r--net/sctp/ipv6.c5
-rw-r--r--net/sctp/protocol.c3
-rw-r--r--net/sctp/transport.c2
3 files changed, 6 insertions, 4 deletions
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index e45e44c60635..e4aac3266fcd 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -299,7 +299,8 @@ static inline int sctp_v6_addr_match_len(union sctp_addr *s1,
299/* Fills in the source address(saddr) based on the destination address(daddr) 299/* Fills in the source address(saddr) based on the destination address(daddr)
300 * and asoc's bind address list. 300 * and asoc's bind address list.
301 */ 301 */
302static void sctp_v6_get_saddr(struct sctp_association *asoc, 302static void sctp_v6_get_saddr(struct sctp_sock *sk,
303 struct sctp_association *asoc,
303 struct dst_entry *dst, 304 struct dst_entry *dst,
304 union sctp_addr *daddr, 305 union sctp_addr *daddr,
305 union sctp_addr *saddr) 306 union sctp_addr *saddr)
@@ -318,7 +319,7 @@ static void sctp_v6_get_saddr(struct sctp_association *asoc,
318 if (!asoc) { 319 if (!asoc) {
319 ipv6_dev_get_saddr(dst ? ip6_dst_idev(dst)->dev : NULL, 320 ipv6_dev_get_saddr(dst ? ip6_dst_idev(dst)->dev : NULL,
320 &daddr->v6.sin6_addr, 321 &daddr->v6.sin6_addr,
321 inet6_sk(asoc->base.sk)->srcprefs, 322 inet6_sk(&sk->inet.sk)->srcprefs,
322 &saddr->v6.sin6_addr); 323 &saddr->v6.sin6_addr);
323 SCTP_DEBUG_PRINTK("saddr from ipv6_get_saddr: " NIP6_FMT "\n", 324 SCTP_DEBUG_PRINTK("saddr from ipv6_get_saddr: " NIP6_FMT "\n",
324 NIP6(saddr->v6.sin6_addr)); 325 NIP6(saddr->v6.sin6_addr));
diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
index 0ec234b762c2..13ee7fa92e07 100644
--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -519,7 +519,8 @@ out:
519/* For v4, the source address is cached in the route entry(dst). So no need 519/* For v4, the source address is cached in the route entry(dst). So no need
520 * to cache it separately and hence this is an empty routine. 520 * to cache it separately and hence this is an empty routine.
521 */ 521 */
522static void sctp_v4_get_saddr(struct sctp_association *asoc, 522static void sctp_v4_get_saddr(struct sctp_sock *sk,
523 struct sctp_association *asoc,
523 struct dst_entry *dst, 524 struct dst_entry *dst,
524 union sctp_addr *daddr, 525 union sctp_addr *daddr,
525 union sctp_addr *saddr) 526 union sctp_addr *saddr)
diff --git a/net/sctp/transport.c b/net/sctp/transport.c
index f4938f6c5abe..62082e7b7972 100644
--- a/net/sctp/transport.c
+++ b/net/sctp/transport.c
@@ -291,7 +291,7 @@ void sctp_transport_route(struct sctp_transport *transport,
291 if (saddr) 291 if (saddr)
292 memcpy(&transport->saddr, saddr, sizeof(union sctp_addr)); 292 memcpy(&transport->saddr, saddr, sizeof(union sctp_addr));
293 else 293 else
294 af->get_saddr(asoc, dst, daddr, &transport->saddr); 294 af->get_saddr(opt, asoc, dst, daddr, &transport->saddr);
295 295
296 transport->dst = dst; 296 transport->dst = dst;
297 if ((transport->param_flags & SPP_PMTUD_DISABLE) && transport->pathmtu) { 297 if ((transport->param_flags & SPP_PMTUD_DISABLE) && transport->pathmtu) {