diff options
| author | Willy Tarreau <w@1wt.eu> | 2016-02-29 20:34:15 +0100 |
|---|---|---|
| committer | Willy Tarreau <w@1wt.eu> | 2016-03-12 14:25:41 +0100 |
| commit | e3dea3074f18a0c1dca8b6328b6bba0af3d61349 (patch) | |
| tree | e037db02fd0cab9e6149697a13229ed0f4cf5134 | |
| parent | 5a7c752dd867bbea6d6301e9e4154a169f2ca4f6 (diff) | |
| download | lwn-e3dea3074f18a0c1dca8b6328b6bba0af3d61349.tar.gz lwn-e3dea3074f18a0c1dca8b6328b6bba0af3d61349.zip | |
l2tp: fix another panic in pppol2tp
Commit 3feec9095d1 ("l2tp: Fix oops in pppol2tp_xmit") was backported
into 2.6.32.16 to fix a possible null deref in pppol2tp. But the same
still exists in pppol2tp_sendmsg() possibly causing the same crash.
Note that this bug doesn't appear to have any other impact than crashing
the system, as the dereferenced pointer is only used to test a value
against a 3-bit mask, so it can hardly be abused for anything except
leaking one third of a bit of memory.
This issue doesn't exist upstream because the code was replaced in 2.6.35
and the new function l2tp_xmit_skb() performs the appropriate check.
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Willy Tarreau <w@1wt.eu>
| -rw-r--r-- | drivers/net/pppol2tp.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/net/pppol2tp.c b/drivers/net/pppol2tp.c index 4c8f019e7b9a..2295c134f590 100644 --- a/drivers/net/pppol2tp.c +++ b/drivers/net/pppol2tp.c @@ -975,7 +975,8 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh /* Calculate UDP checksum if configured to do so */ if (sk_tun->sk_no_check == UDP_CSUM_NOXMIT) skb->ip_summed = CHECKSUM_NONE; - else if (!(skb_dst(skb)->dev->features & NETIF_F_V4_CSUM)) { + else if ((skb_dst(skb) && skb_dst(skb)->dev) && + (!(skb_dst(skb)->dev->features & NETIF_F_V4_CSUM))) { skb->ip_summed = CHECKSUM_COMPLETE; csum = skb_checksum(skb, 0, udp_len, 0); uh->check = csum_tcpudp_magic(inet->saddr, inet->daddr, |