From patchwork Wed Oct 1 09:11:57 2008 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Denis V. Lunev" X-Patchwork-Id: 2212 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by ozlabs.org (Postfix) with ESMTP id 7F63BDDF21 for ; Wed, 1 Oct 2008 19:11:56 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753345AbYJAJLw (ORCPT ); Wed, 1 Oct 2008 05:11:52 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1753279AbYJAJLw (ORCPT ); Wed, 1 Oct 2008 05:11:52 -0400 Received: from mailhub.sw.ru ([195.214.232.25]:3546 "EHLO relay.sw.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753261AbYJAJLv (ORCPT ); Wed, 1 Oct 2008 05:11:51 -0400 Received: from iris.sw.ru ([10.30.1.9]) (authenticated bits=0) by relay.sw.ru (8.13.4/8.13.4) with ESMTP id m919BgtM020270 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 1 Oct 2008 13:11:43 +0400 (MSD) Received: from den by iris.sw.ru with local (Exim 4.69) (envelope-from ) id 1KkxkT-0001sF-6Q; Wed, 01 Oct 2008 13:11:57 +0400 From: "Denis V. Lunev" To: davem@davemloft.net Cc: xemul@openvz.org, vgusev@openvz.org, netdev@vger.kernel.org, "Denis V. Lunev" Subject: [PATCH net-2.6] ipv6: NULL pointer dereferrence in tcp_v6_send_ack Date: Wed, 1 Oct 2008 13:11:57 +0400 Message-Id: <1222852317-7177-1-git-send-email-den@openvz.org> X-Mailer: git-send-email 1.5.6.4 In-Reply-To: <20081001.020359.48616451.davem@davemloft.net> References: <20081001.020359.48616451.davem@davemloft.net> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org The following actions are possible: tcp_v6_rcv skb->dev = NULL; tcp_v6_do_rcv tcp_v6_hnd_req tcp_check_req req->rsk_ops->send_ack == tcp_v6_send_ack So, skb->dev can be NULL in tcp_v6_send_ack. We must obtain namespace from dst entry. Thanks to Vitaliy Gusev for initial problem finding in IPv4 code. Signed-off-by: Denis V. Lunev --- net/ipv4/tcp_ipv4.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index b585c85..10e22fd 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -1050,7 +1050,7 @@ static void tcp_v6_send_ack(struct sk_buff *skb, u32 seq, u32 ack, u32 win, u32 struct tcphdr *th = tcp_hdr(skb), *t1; struct sk_buff *buff; struct flowi fl; - struct net *net = dev_net(skb->dev); + struct net *net = dev_net(skb->dst->dev); struct sock *ctl_sk = net->ipv6.tcp_sk; unsigned int tot_len = sizeof(struct tcphdr); __be32 *topt;