Home Home > GIT Browse > SLE15-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFiro Yang <fyang@suse.com>2019-08-16 11:05:25 +0200
committerFiro Yang <fyang@suse.com>2019-08-16 11:05:33 +0200
commit7763576c3955fdb83771b68ef70f3e2bcf42320d (patch)
treedea725dcac4eed7ad0f7da5e11dd738ed930dc3f
parent10fa205d451a5f6c55bbc6fa26555445a442ceec (diff)
xfrm: Fix NULL pointer dereference when skb_dst_force clears
the dst_entry (bsc#1143300). suse-commit: 403867624466806b2e8df454e7b2c0c3fcdb71f8
-rw-r--r--net/xfrm/xfrm_output.c4
-rw-r--r--net/xfrm/xfrm_policy.c4
2 files changed, 8 insertions, 0 deletions
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index ccd3d76891ab..94ff301b46df 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -98,6 +98,10 @@ static int xfrm_output_one(struct sk_buff *skb, int err)
spin_unlock_bh(&x->lock);
skb_dst_force(skb);
+ if (!skb_dst(skb)) {
+ XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
+ goto error_nolock;
+ }
if (xfrm_offload(skb)) {
x->type_offload->encap(x, skb);
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index c82c695fa3fd..89bbe40736f9 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2625,6 +2625,10 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
}
skb_dst_force(skb);
+ if (!skb_dst(skb)) {
+ XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR);
+ return 0;
+ }
dst = xfrm_lookup(net, skb_dst(skb), &fl, NULL, XFRM_LOOKUP_QUEUE);
if (IS_ERR(dst)) {