• Pavel Emelyanov's avatar
    [NET]: NULL pointer dereference and other nasty things in /proc/net/(tcp|udp)[6] · 28518fc1
    Pavel Emelyanov authored
    Commits f40c81 ([NETNS][IPV4] tcp - make proc handle the network
    namespaces) and a91275 ([NETNS][IPV6] udp - make proc handle the
    network namespace) both introduced bad checks on sockets and tw
    buckets to belong to proper net namespace.
    
    I.e. when checking for socket to belong to given net and family the
    
    	do {
    		sk = sk_next(sk);
    	} while (sk && sk->sk_net != net && sk->sk_family != family);
    
    constructions were used. This is wrong, since as soon as the
    sk->sk_net fits the net the socket is immediately returned, even if it
    belongs to other family.
    
    As the result four /proc/net/(udp|tcp)[6] entries show wrong info.
    The udp6 entry even oopses when dereferencing inet6_sk(sk) pointer:
    
    static void udp6_sock_seq_show(struct seq_file *seq, struct sock *sp, int bucket)
    {
    	...
            struct ipv6_pinfo *np = inet6_sk(sp);
    	...
    
            dest  = &np->daddr; /* will be NULL for AF_INET sockets */
    	...
    	seq_printf(...
    	           dest->s6_addr32[0], dest->s6_addr32[1],
                       dest->s6_addr32[2], dest->s6_addr32[3],
    	...
    
    Fix it by converting && to ||.
    Signed-off-by: default avatarPavel Emelyanov <xemul@openvz.org>
    Acked-by: default avatarDaniel Lezcano <dlezcano@fr.ibm.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    28518fc1
tcp_ipv4.c 61.6 KB