6lowpan: Fix null pointer dereference in UDP uncompression function

When a UDP packet gets fragmented, a crash will occur at reassembly time. This is because skb->transport_header is not set during earlier period of fragment reassembly. As a consequence, call to udp_hdr() return NULL and uh (which is NULL) gets dereferenced without much test. Signed-off-by: Tony Cheneau <tony.cheneau@amnesiak.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Tony Cheneau <tony.cheneau@amnesiak.org> 2012-07-11 06:51:14 +0000
committer: David S. Miller <davem@davemloft.net> 2012-07-16 22:51:15 -0700
commit: d4787a15432384826a0bed42d189fc2a97dc73ea (patch)
tree: 211b8183a67dd12d817146265485a597a4f85942 /net/ieee802154
parent: 6e5928f6dfd92a47c489bb735c4cb8bbb62038e0 (diff)
download: op-kernel-dev-d4787a15432384826a0bed42d189fc2a97dc73ea.zip
op-kernel-dev-d4787a15432384826a0bed42d189fc2a97dc73ea.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c
index 6871ec1..416a54d 100644
--- a/net/ieee802154/6lowpan.c
+++ b/net/ieee802154/6lowpan.c
@@ -314,6 +314,9 @@ lowpan_uncompress_udp_header(struct sk_buff *skb)
 	struct udphdr *uh = udp_hdr(skb);
 	u8 tmp;
 
+	if (!uh)
+		goto err;
+
 	if (lowpan_fetch_skb_u8(skb, &tmp))
 		goto err;
author	Tony Cheneau <tony.cheneau@amnesiak.org>	2012-07-11 06:51:14 +0000
committer	David S. Miller <davem@davemloft.net>	2012-07-16 22:51:15 -0700
commit	d4787a15432384826a0bed42d189fc2a97dc73ea (patch)
tree	211b8183a67dd12d817146265485a597a4f85942 /net/ieee802154
parent	6e5928f6dfd92a47c489bb735c4cb8bbb62038e0 (diff)
download	op-kernel-dev-d4787a15432384826a0bed42d189fc2a97dc73ea.zip op-kernel-dev-d4787a15432384826a0bed42d189fc2a97dc73ea.tar.gz