git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/commit

author	Florian Westphal <fw@strlen.de>
	Fri, 13 Jan 2017 13:55:14 +0000 (14:55 +0100)
committer	Steffen Klassert <steffen.klassert@secunet.com>
	Mon, 16 Jan 2017 07:36:33 +0000 (08:36 +0100)
commit	3819a35fdb8f82428c2b5190f195c4e0b8c427bf
tree	3e696faeb870dfd7ce7b99a12da011e398e879af	tree
parent	75cda62d9ca2cd3fab0412d438fcd1bfa0580b3d	commit \| diff

xfrm: fix possible null deref in xfrm_init_tempstate

Dan reports following smatch warning:
net/xfrm/xfrm_state.c:659
error: we previously assumed 'afinfo' could be null (see line 651)

649  struct xfrm_state_afinfo *afinfo = xfrm_state_afinfo_get_rcu(family);
651  if (afinfo)
...
658  }
659  afinfo->init_temprop(x, tmpl, daddr, saddr);

I am resonably sure afinfo cannot be NULL here.

xfrm_state4.c and state6.c are both part of ipv4/ipv6 (depends on
CONFIG_XFRM, a boolean) but even if ipv6 is a module state6.c can't
be removed (ipv6 lacks module_exit so it cannot be removed).

The only callers for xfrm6_fini that leads to state backend unregister
are error unwinding paths that can be called during ipv6 init function.

So after ipv6 module is loaded successfully the state backend cannot go
away anymore.

The family value from policy lookup path is taken from dst_entry, so
that should always be AF_INET(6).

However, since this silences the warning and avoids readers of this
code wondering about possible null deref it seems preferrable to
be defensive and just add the old check back.

Fixes: 711059b9752ad0 ("xfrm: add and use xfrm_state_afinfo_get_rcu")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>