summaryrefslogtreecommitdiff
path: root/net/ieee802154
diff options
context:
space:
mode:
authorTony Cheneau <tony.cheneau@amnesiak.org>2012-07-11 06:51:14 +0000
committerDavid S. Miller <davem@davemloft.net>2012-07-16 22:51:15 -0700
commitd4787a15432384826a0bed42d189fc2a97dc73ea (patch)
tree211b8183a67dd12d817146265485a597a4f85942 /net/ieee802154
parent6e5928f6dfd92a47c489bb735c4cb8bbb62038e0 (diff)
downloadlinux-rpi-d4787a15432384826a0bed42d189fc2a97dc73ea.tar.gz
linux-rpi-d4787a15432384826a0bed42d189fc2a97dc73ea.tar.bz2
linux-rpi-d4787a15432384826a0bed42d189fc2a97dc73ea.zip
6lowpan: Fix null pointer dereference in UDP uncompression function
When a UDP packet gets fragmented, a crash will occur at reassembly time. This is because skb->transport_header is not set during earlier period of fragment reassembly. As a consequence, call to udp_hdr() return NULL and uh (which is NULL) gets dereferenced without much test. Signed-off-by: Tony Cheneau <tony.cheneau@amnesiak.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ieee802154')
-rw-r--r--net/ieee802154/6lowpan.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c
index 6871ec1b30f8..416a54d31fb2 100644
--- a/net/ieee802154/6lowpan.c
+++ b/net/ieee802154/6lowpan.c
@@ -314,6 +314,9 @@ lowpan_uncompress_udp_header(struct sk_buff *skb)
struct udphdr *uh = udp_hdr(skb);
u8 tmp;
+ if (!uh)
+ goto err;
+
if (lowpan_fetch_skb_u8(skb, &tmp))
goto err;