| Message ID | 20190726022534.24994-1-baijiaju1990@gmail.com |
|---|---|
| State | Rejected |
| Delegated to: | David Miller |
| Headers | show |
| Series | [1/2] net: ipv4: Fix a possible null-pointer dereference in inet_csk_rebuild_route() | expand |
Le 26/07/2019 à 04:25, Jia-Ju Bai a écrit : > In inet_csk_rebuild_route(), rt is assigned to NULL on line 1071. > On line 1076, rt is used: > return &rt->dst; > Thus, a possible null-pointer dereference may occur.> > To fix this bug, rt is checked before being used. > > This bug is found by a static analysis tool STCheck written by us. > > Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> > --- > net/ipv4/inet_connection_sock.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c > index f5c163d4771b..27d9d80f3401 100644 > --- a/net/ipv4/inet_connection_sock.c > +++ b/net/ipv4/inet_connection_sock.c > @@ -1073,7 +1073,10 @@ static struct dst_entry *inet_csk_rebuild_route(struct sock *sk, struct flowi *f > sk_setup_caps(sk, &rt->dst); > rcu_read_unlock(); > > - return &rt->dst; > + if (rt) > + return &rt->dst; > + else > + return NULL; Hmm, ->dst is the first field (and that will never change), thus &rt->dst is NULL if rt is NULL. I don't think there is a problem with the current code. Regards, Nicolas
From: Jia-Ju Bai <baijiaju1990@gmail.com> Date: Fri, 26 Jul 2019 10:25:34 +0800 > diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c > index f5c163d4771b..27d9d80f3401 100644 > --- a/net/ipv4/inet_connection_sock.c > +++ b/net/ipv4/inet_connection_sock.c > @@ -1073,7 +1073,10 @@ static struct dst_entry *inet_csk_rebuild_route(struct sock *sk, struct flowi *f > sk_setup_caps(sk, &rt->dst); > rcu_read_unlock(); > > - return &rt->dst; > + if (rt) > + return &rt->dst; > + else > + return NULL; If rt is NULL, &rt->dst is also NULL as has been pointed out to you. Please fix your automated tools to understand this case before submitting more changes. Thank you.
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c index f5c163d4771b..27d9d80f3401 100644 --- a/net/ipv4/inet_connection_sock.c +++ b/net/ipv4/inet_connection_sock.c @@ -1073,7 +1073,10 @@ static struct dst_entry *inet_csk_rebuild_route(struct sock *sk, struct flowi *f sk_setup_caps(sk, &rt->dst); rcu_read_unlock(); - return &rt->dst; + if (rt) + return &rt->dst; + else + return NULL; } struct dst_entry *inet_csk_update_pmtu(struct sock *sk, u32 mtu)
In inet_csk_rebuild_route(), rt is assigned to NULL on line 1071. On line 1076, rt is used: return &rt->dst; Thus, a possible null-pointer dereference may occur. To fix this bug, rt is checked before being used. This bug is found by a static analysis tool STCheck written by us. Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> --- net/ipv4/inet_connection_sock.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)