[maint,2/2] batman-adv: Avoid nullptr dereference in dat after vlan_insert_tag
Commit Message
vlan_insert_tag can return NULL on errors. The distributed arp table code
therefore has to check the return value of vlan_insert_tag for NULL before
it can safely operate on this pointer.
Fixes: 53c6c262a581 ("batman-adv: tag locally generated ARP reply if needed")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
---
net/batman-adv/distributed-arp-table.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
Comments
On Saturday, July 02, 2016 09:52:14 Sven Eckelmann wrote:
> vlan_insert_tag can return NULL on errors. The distributed arp table code
> therefore has to check the return value of vlan_insert_tag for NULL before
> it can safely operate on this pointer.
>
> Fixes: 53c6c262a581 ("batman-adv: tag locally generated ARP reply if
> needed") Signed-off-by: Sven Eckelmann <sven@narfation.org>
> ---
> net/batman-adv/distributed-arp-table.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
Applied in revision 898382d.
Thanks,
Marek
@@ -1011,9 +1011,12 @@ bool batadv_dat_snoop_outgoing_arp_request(struct batadv_priv *bat_priv,
if (!skb_new)
goto out;
- if (vid & BATADV_VLAN_HAS_TAG)
+ if (vid & BATADV_VLAN_HAS_TAG) {
skb_new = vlan_insert_tag(skb_new, htons(ETH_P_8021Q),
vid & VLAN_VID_MASK);
+ if (!skb_new)
+ goto out;
+ }
skb_reset_mac_header(skb_new);
skb_new->protocol = eth_type_trans(skb_new,
@@ -1091,9 +1094,12 @@ bool batadv_dat_snoop_incoming_arp_request(struct batadv_priv *bat_priv,
*/
skb_reset_mac_header(skb_new);
- if (vid & BATADV_VLAN_HAS_TAG)
+ if (vid & BATADV_VLAN_HAS_TAG) {
skb_new = vlan_insert_tag(skb_new, htons(ETH_P_8021Q),
vid & VLAN_VID_MASK);
+ if (!skb_new)
+ goto out;
+ }
/* To preserve backwards compatibility, the node has choose the outgoing
* format based on the incoming request packet type. The assumption is