diff options
author | Patrick McHardy <kaber@trash.net> | 2010-04-15 13:29:28 +0200 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2010-04-15 13:31:29 +0200 |
commit | 8de53dfbf9a0a0f7538c005137059c5c021476e1 (patch) | |
tree | 51fbba0b36a24feac02fa76d4deaecfcdece7c7f | |
parent | ipv4: ipmr: fix invalid cache resolving when adding a non-matching entry (diff) | |
download | linux-8de53dfbf9a0a0f7538c005137059c5c021476e1.tar.xz linux-8de53dfbf9a0a0f7538c005137059c5c021476e1.zip |
ipv4: ipmr: fix NULL pointer deref during unres queue destruction
Fix an oversight in ipmr_destroy_unres() - the net pointer is
unconditionally initialized to NULL, resulting in a NULL pointer
dereference later on.
Fix by adding a net pointer to struct mr_table and using it in
ipmr_destroy_unres().
Signed-off-by: Patrick McHardy <kaber@trash.net>
-rw-r--r-- | net/ipv4/ipmr.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c index 0643fb6d47c4..7d8a2bcecb76 100644 --- a/net/ipv4/ipmr.c +++ b/net/ipv4/ipmr.c @@ -71,6 +71,9 @@ struct mr_table { struct list_head list; +#ifdef CONFIG_NET_NS + struct net *net; +#endif u32 id; struct sock *mroute_sk; struct timer_list ipmr_expire_timer; @@ -308,6 +311,7 @@ static struct mr_table *ipmr_new_table(struct net *net, u32 id) mrt = kzalloc(sizeof(*mrt), GFP_KERNEL); if (mrt == NULL) return NULL; + write_pnet(&mrt->net, net); mrt->id = id; /* Forwarding cache */ @@ -580,7 +584,7 @@ static inline void ipmr_cache_free(struct mfc_cache *c) static void ipmr_destroy_unres(struct mr_table *mrt, struct mfc_cache *c) { - struct net *net = NULL; //mrt->net; + struct net *net = read_pnet(&mrt->net); struct sk_buff *skb; struct nlmsgerr *e; |