Hi,
In net/ipv4/ip_options.c::ip_options_compile() we have the following
code at the start of the function :
int ip_options_compile(struct ip_options * opt, struct sk_buff * skb)
{
int l;
unsigned char * iph;
unsigned char * optptr;
int optlen;
unsigned char * pp_ptr = NULL;
struct rtable *rt = skb ? (struct rtable*)skb->dst : NULL;
if (!opt) {
opt = &(IPCB(skb)->opt);
iph = skb->nh.raw;
opt->optlen = ((struct iphdr *)iph)->ihl*4 -
sizeof(struct iphdr);
optptr = iph + sizeof(struct iphdr);
opt->is_data = 0;
} else {
optptr = opt->is_data ? opt->__data : (unsigned
char*)&(skb->nh.iph[1]);
iph = optptr - sizeof(struct iphdr);
}
...
I don't see how that avoids blowing up if we get passed a NULL skb.
From the line
struct rtable *rt = skb ? (struct rtable*)skb->dst : NULL;
it is clear that we /may/ get passed a null skb.
Then a bit further down in the if (!opt) bit we dereference 'skb' :
opt = &(IPCB(skb)->opt);
and we also may dereference it in the else part :
optptr = opt->is_data ? opt->__data : (unsigned char*)&(skb->nh.iph[1]);
So if 'skb' is NULL, the only route I see that doesn't cause a NULL
pointer deref is if (opt != NULL) and at the same time
(opt->is_data != NULL) . Is that guaranteed in any way? If now,
how come we don't blow up regularly?
--
Jesper Juhl <[email protected]>
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please http://www.expita.com/nomime.html
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
