diff mbox

[v2] ipv6:ipv6_pinfo dereferenced after NULL check

Message ID 1479984117-39005-1-git-send-email-manjeet.p@samsung.com
State Changes Requested, archived
Delegated to: David Miller
Headers show

Commit Message

Manjeet Pawar Nov. 24, 2016, 10:41 a.m. UTC 
From: Rohit Thapliyal <r.thapliyal@samsung.com>

np checked for NULL and then dereferenced. It should be modified
for NULL case.

Signed-off-by: Rohit Thapliyal <r.thapliyal@samsung.com>
Signed-off-by: Manjeet Pawar <manjeet.p@samsung.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Reviewed-by: Akhilesh Kumar <akhilesh.k@samsung.com>

---
v1->v2: Modified as per the suggestion of Hannes
        np ? np->autoflowlabel : ip6_default_np_autolabel(net)

 net/ipv6/ip6_output.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

Comments

David Miller Nov. 27, 2016, 8:25 p.m. UTC | #1 
From: Manjeet Pawar <manjeet.p@samsung.com>
Date: Thu, 24 Nov 2016 16:11:57 +0530

> From: Rohit Thapliyal <r.thapliyal@samsung.com>
> 
> np checked for NULL and then dereferenced. It should be modified
> for NULL case.
> 
> Signed-off-by: Rohit Thapliyal <r.thapliyal@samsung.com>
> Signed-off-by: Manjeet Pawar <manjeet.p@samsung.com>
> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
> Reviewed-by: Akhilesh Kumar <akhilesh.k@samsung.com>

I do not think inet6_sk(sk) can ever be NULL in this function.

All callers fall into two categories:

1) Calls where arguments already dereference np in some way to
   pass arguments to ip6_xmit():

net/dccp/ipv6.c:		err = ip6_xmit(sk, skb, &fl6, opt, np->tclass);
net/ipv6/inet6_connection_sock.c:	res = ip6_xmit(sk, skb, &fl6, rcu_dereference(np->opt),
net/ipv6/tcp_ipv6.c:		err = ip6_xmit(sk, skb, fl6, opt, np->tclass);
net/sctp/ipv6.c:	res = ip6_xmit(sk, skb, fl6, rcu_dereference(np->opt), np->tclass);

2) Calls where the socket is a "control" socket which is initialized
   at procotol registration time and therefore definitely has
   a proper inet6_sk() pointer set up.

net/dccp/ipv6.c:		ip6_xmit(ctl_sk, skb, &fl6, NULL, 0);
net/ipv6/tcp_ipv6.c:		ip6_xmit(ctl_sk, buff, &fl6, NULL, tclass);

Therefore, I think we should simply remove the NULL test entirely.
diff mbox

Patch

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 59eb4ed..d734b5e 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -215,11 +215,14 @@  int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
 	 */
 	if (np)
 		hlimit = np->hop_limit;
+
 	if (hlimit < 0)
 		hlimit = ip6_dst_hoplimit(dst);
 
-	ip6_flow_hdr(hdr, tclass, ip6_make_flowlabel(net, skb, fl6->flowlabel,
-						     np->autoflowlabel, fl6));
+	ip6_flow_hdr(hdr, tclass,
+		ip6_make_flowlabel(net, skb, fl6->flowlabel,
+			np ? np->autoflowlabel : ip6_default_np_autolabel(net),
+			fl6));
 
 	hdr->payload_len = htons(seg_len);
 	hdr->nexthdr = proto;