Commit d4787a15 authored by Tony Cheneau's avatar Tony Cheneau Committed by David S. Miller

6lowpan: Fix null pointer dereference in UDP uncompression function

When a UDP packet gets fragmented, a crash will occur at reassembly time.
This is because skb->transport_header is not set during earlier period of fragment reassembly.
As a consequence, call to udp_hdr() return NULL and uh (which is NULL) gets
dereferenced without much test.
Signed-off-by: default avatarTony Cheneau <tony.cheneau@amnesiak.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 6e5928f6
...@@ -314,6 +314,9 @@ lowpan_uncompress_udp_header(struct sk_buff *skb) ...@@ -314,6 +314,9 @@ lowpan_uncompress_udp_header(struct sk_buff *skb)
struct udphdr *uh = udp_hdr(skb); struct udphdr *uh = udp_hdr(skb);
u8 tmp; u8 tmp;
if (!uh)
goto err;
if (lowpan_fetch_skb_u8(skb, &tmp)) if (lowpan_fetch_skb_u8(skb, &tmp))
goto err; goto err;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment