提交 3c8a9c63 编写于 作者: M Mariusz Kozlowski 提交者: David S. Miller

tun/tap: Fix crashes if open() /dev/net/tun and then poll() it.

Fix NULL pointer dereference in tun_chr_pool() introduced by commit
33dccbb0 ("tun: Limit amount of queued
packets per device") and triggered by this code:

	int fd;
	struct pollfd pfd;
	fd = open("/dev/net/tun", O_RDWR);
	pfd.fd = fd;
	pfd.events = POLLIN | POLLOUT;
	poll(&pfd, 1, 0);
Reported-by: NEugene Kapun <abacabadabacaba@gmail.com>
Signed-off-by: NMariusz Kozlowski <m.kozlowski@tuxland.pl>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 1ded3f59
...@@ -486,12 +486,14 @@ static unsigned int tun_chr_poll(struct file *file, poll_table * wait) ...@@ -486,12 +486,14 @@ static unsigned int tun_chr_poll(struct file *file, poll_table * wait)
{ {
struct tun_file *tfile = file->private_data; struct tun_file *tfile = file->private_data;
struct tun_struct *tun = __tun_get(tfile); struct tun_struct *tun = __tun_get(tfile);
struct sock *sk = tun->sk; struct sock *sk;
unsigned int mask = 0; unsigned int mask = 0;
if (!tun) if (!tun)
return POLLERR; return POLLERR;
sk = tun->sk;
DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name); DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name);
poll_wait(file, &tun->socket.wait, wait); poll_wait(file, &tun->socket.wait, wait);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册