leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[NET_SCHED]: cls_basic: fix NULL pointer dereference

Browse Source 
cls_basic doesn't allocate tp->root before it is linked into the
active classifier list, resulting in a NULL pointer dereference
when packets hit the classifier before its ->change function is
called.

Reported by Chris Madden <chris@reflexsecurity.com>

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Patrick McHardy 2007-03-24 22:13:06 -07:00 committed by David S. Miller
parent c93a882ebe
commit d3fa76ee6b
1 changed files with 7 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
net/sched/cls_basic.c
View File

@ -81,6 +81,13 @@ static void basic_put(struct tcf_proto *tp, unsigned long f)
static int basic_init(struct tcf_proto *tp)
{
struct basic_head *head;
head = kzalloc(sizeof(*head), GFP_KERNEL);
if (head == NULL)
return -ENOBUFS;
INIT_LIST_HEAD(&head->flist);
tp->root = head;
return 0;
}
@ -176,15 +183,6 @@ static int basic_change(struct tcf_proto *tp, unsigned long base, u32 handle,
}
err = -ENOBUFS;
if (head == NULL) {
head = kzalloc(sizeof(*head), GFP_KERNEL);
if (head == NULL)
goto errout;
INIT_LIST_HEAD(&head->flist);
tp->root = head;
}
f = kzalloc(sizeof(*f), GFP_KERNEL);
if (f == NULL)
goto errout;