diff mbox

[CVE-2014-2678,All,Series] rds: prevent dereference of a NULL device in rds_iw_laddr_check

Message ID 1396618371-10862-1-git-send-email-luis.henriques@canonical.com
State New
Headers show

Commit Message

Luis Henriques April 4, 2014, 1:32 p.m. UTC 
From: Sasha Levin <sasha.levin@oracle.com>

Binding might result in a NULL device which is later dereferenced
without checking.

Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit bf39b4247b8799935ea91d90db250ab608a58e50)
BugLink: http://bugs.launchpad.net/bugs/1302222
CVE-2014-2678
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 net/rds/iw.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Brad Figg April 4, 2014, 2:03 p.m. UTC | #1 
On 04/04/2014 06:32 AM, Luis Henriques wrote:
> From: Sasha Levin <sasha.levin@oracle.com>
> 
> Binding might result in a NULL device which is later dereferenced
> without checking.
> 
> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> (cherry picked from commit bf39b4247b8799935ea91d90db250ab608a58e50)
> BugLink: http://bugs.launchpad.net/bugs/1302222
> CVE-2014-2678
> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
> ---
>  net/rds/iw.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/rds/iw.c b/net/rds/iw.c
> index db224f7..bff1e4b 100644
> --- a/net/rds/iw.c
> +++ b/net/rds/iw.c
> @@ -237,7 +237,8 @@ static int rds_iw_laddr_check(__be32 addr)
>  	ret = rdma_bind_addr(cm_id, (struct sockaddr *)&sin);
>  	/* due to this, we will claim to support IB devices unless we
>  	   check node_type. */
> -	if (ret || cm_id->device->node_type != RDMA_NODE_RNIC)
> +	if (ret || !cm_id->device ||
> +	    cm_id->device->node_type != RDMA_NODE_RNIC)
>  		ret = -EADDRNOTAVAIL;
>  
>  	rdsdebug("addr %pI4 ret %d node type %d\n",
>
Seth Forshee April 4, 2014, 8:09 p.m. UTC | #2 
On Fri, Apr 04, 2014 at 02:32:51PM +0100, Luis Henriques wrote:
> From: Sasha Levin <sasha.levin@oracle.com>
> 
> Binding might result in a NULL device which is later dereferenced
> without checking.
> 
> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> (cherry picked from commit bf39b4247b8799935ea91d90db250ab608a58e50)
> BugLink: http://bugs.launchpad.net/bugs/1302222
> CVE-2014-2678
> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
> ---
>  net/rds/iw.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/rds/iw.c b/net/rds/iw.c
> index db224f7..bff1e4b 100644
> --- a/net/rds/iw.c
> +++ b/net/rds/iw.c
> @@ -237,7 +237,8 @@ static int rds_iw_laddr_check(__be32 addr)
>  	ret = rdma_bind_addr(cm_id, (struct sockaddr *)&sin);
>  	/* due to this, we will claim to support IB devices unless we
>  	   check node_type. */
> -	if (ret || cm_id->device->node_type != RDMA_NODE_RNIC)
> +	if (ret || !cm_id->device ||
> +	    cm_id->device->node_type != RDMA_NODE_RNIC)
>  		ret = -EADDRNOTAVAIL;
>  
>  	rdsdebug("addr %pI4 ret %d node type %d\n",
> -- 
> 1.9.1
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Tim Gardner April 7, 2014, 5:16 p.m. UTC | #3
diff mbox

Patch

diff --git a/net/rds/iw.c b/net/rds/iw.c
index db224f7..bff1e4b 100644
--- a/net/rds/iw.c
+++ b/net/rds/iw.c
@@ -237,7 +237,8 @@  static int rds_iw_laddr_check(__be32 addr)
 	ret = rdma_bind_addr(cm_id, (struct sockaddr *)&sin);
 	/* due to this, we will claim to support IB devices unless we
 	   check node_type. */
-	if (ret || cm_id->device->node_type != RDMA_NODE_RNIC)
+	if (ret || !cm_id->device ||
+	    cm_id->device->node_type != RDMA_NODE_RNIC)
 		ret = -EADDRNOTAVAIL;
 
 	rdsdebug("addr %pI4 ret %d node type %d\n",