Commit 5c804bfd authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller

[NET_SCHED]: cls_fw: fix NULL pointer dereference

When the first fw classifier is initialized, there is a small window
between the ->init() and ->change() calls, during which the classifier
is active but not entirely set up and tp->root is still NULL (->init()
does nothing).

When a packet is queued during this window a NULL pointer dereference
occurs in fw_classify() when trying to dereference head->mask;
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent f216f082
...@@ -101,9 +101,10 @@ static int fw_classify(struct sk_buff *skb, struct tcf_proto *tp, ...@@ -101,9 +101,10 @@ static int fw_classify(struct sk_buff *skb, struct tcf_proto *tp,
struct fw_head *head = (struct fw_head*)tp->root; struct fw_head *head = (struct fw_head*)tp->root;
struct fw_filter *f; struct fw_filter *f;
int r; int r;
u32 id = skb->mark & head->mask; u32 id = skb->mark;
if (head != NULL) { if (head != NULL) {
id &= head->mask;
for (f=head->ht[fw_hash(id)]; f; f=f->next) { for (f=head->ht[fw_hash(id)]; f; f=f->next) {
if (f->id == id) { if (f->id == id) {
*res = f->res; *res = f->res;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment