diff mbox series

ipv6: route: fix possible null-pointer-dereference in ip6_route_info_create

Message ID 20241101035843.52230-1-03zouyi09.25@gmail.com (mailing list archive)
State New
Delegated to: Netdev Maintainers
Headers show
Series ipv6: route: fix possible null-pointer-dereference in ip6_route_info_create | expand

Checks

Context Check Description
netdev/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 3 this patch: 3
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers warning 1 maintainers not CCed: horms@kernel.org
netdev/build_clang success Errors and warnings before: 3 this patch: 3
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 5 this patch: 5
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest pending net-next-2024-11-01--06-00 (tests: 0)

Commit Message

Yi Zou Nov. 1, 2024, 3:58 a.m. UTC 
In the ip6_route_info_create function, the variable fib6_nh is
assigned the return value of nexthop_fib6_nh(rt->nh), which could
result in fib6_nh being NULL. Immediately after this assignment,
there is a potential dereference of fib6_nh in the following code:
if (!ipv6_addr_any(&cfg->fc_prefsrc)) {
 struct net_device *dev = fib6_nh->fib_nh_dev;
This lead to a null pointer dereference (NPD) risk if fib6_nh is
NULL. The issue can be resolved by adding a NULL check before the
deference line.

Signed-off-by: Yi Zou <03zouyi09.25@gmail.com>
---
 net/ipv6/route.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index b4251915585f..919592fa4e64 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -3821,7 +3821,7 @@  static struct fib6_info *ip6_route_info_create(struct fib6_config *cfg,
 			rt->fib6_flags = RTF_REJECT | RTF_NONEXTHOP;
 	}
 
-	if (!ipv6_addr_any(&cfg->fc_prefsrc)) {
+	if (!ipv6_addr_any(&cfg->fc_prefsrc) && fib6_nh) {
 		struct net_device *dev = fib6_nh->fib_nh_dev;
 
 		if (!ipv6_chk_addr(net, &cfg->fc_prefsrc, dev, 0)) {