6lowpan: Fix null pointer dereference in UDP uncompression function · d4787a1543 - Gogs: Go Git Service GfA electronic

6lowpan: Fix null pointer dereference in UDP uncompression function

When a UDP packet gets fragmented, a crash will occur at reassembly time.
This is because skb->transport_header is not set during earlier period of fragment reassembly.
As a consequence, call to udp_hdr() return NULL and uh (which is NULL) gets
dereferenced without much test.

Signed-off-by: Tony Cheneau <tony.cheneau@amnesiak.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

Tony Cheneau 13 年之前

父节点

6e5928f6df

当前提交

d4787a1543

共有 1 个文件被更改，包括 3 次插入 和 0 次删除

分列视图显示文件统计

						
							+ 3
							
							- 0
						
net/ieee802154/6lowpan.c
							 
								查看文件
							
				@@ -314,6 +314,9 @@ lowpan_uncompress_udp_header(struct sk_buff *skb)
			
				 	struct udphdr *uh = udp_hdr(skb);
			
				 	u8 tmp;
			
				+	if (!uh)
			
				+		goto err;
			
				+
			
				 	if (lowpan_fetch_skb_u8(skb, &tmp))
			
				 		goto err;