diff options
author | Paolo Abeni <pabeni@redhat.com> | 2019-03-06 10:42:53 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2019-03-06 10:23:18 -0800 |
commit | 22c74764aa2943ecdf9f07c900d8a9c8ba6c9265 (patch) | |
tree | 44693948394b290d37255d46367355fef53eb8bd /net/ipv4/route.c | |
parent | f4772dee101c7ac66e395d07b3140d457901fa18 (diff) | |
download | linux-22c74764aa2943ecdf9f07c900d8a9c8ba6c9265.tar.gz linux-22c74764aa2943ecdf9f07c900d8a9c8ba6c9265.tar.bz2 linux-22c74764aa2943ecdf9f07c900d8a9c8ba6c9265.zip |
ipv4/route: fail early when inet dev is missing
If a non local multicast packet reaches ip_route_input_rcu() while
the ingress device IPv4 private data (in_dev) is NULL, we end up
doing a NULL pointer dereference in IN_DEV_MFORWARD().
Since the later call to ip_route_input_mc() is going to fail if
!in_dev, we can fail early in such scenario and avoid the dangerous
code path.
v1 -> v2:
- clarified the commit message, no code changes
Reported-by: Tianhao Zhao <tizhao@redhat.com>
Fixes: e58e41596811 ("net: Enable support for VRF with ipv4 multicast")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/route.c')
-rw-r--r-- | net/ipv4/route.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 738ff0a1a048..8ca3642f0d9b 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -2149,12 +2149,13 @@ int ip_route_input_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr, int our = 0; int err = -EINVAL; - if (in_dev) - our = ip_check_mc_rcu(in_dev, daddr, saddr, - ip_hdr(skb)->protocol); + if (!in_dev) + return err; + our = ip_check_mc_rcu(in_dev, daddr, saddr, + ip_hdr(skb)->protocol); /* check l3 master if no match yet */ - if ((!in_dev || !our) && netif_is_l3_slave(dev)) { + if (!our && netif_is_l3_slave(dev)) { struct in_device *l3_in_dev; l3_in_dev = __in_dev_get_rcu(skb->dev); |