提交 79315068 编写于 作者: E Eric Dumazet 提交者: David S. Miller

caif: fix two caif_connect() bugs

caif_connect() might dereference a netdevice after dev_put() it.

It also doesnt check dev_get_by_index() return value and could
dereference a NULL pointer.

Fix it, using RCU to avoid taking a reference.
Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
CC: Sjur Braendeland <sjur.brandeland@stericsson.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 27e6f065
...@@ -827,6 +827,7 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr, ...@@ -827,6 +827,7 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr,
long timeo; long timeo;
int err; int err;
int ifindex, headroom, tailroom; int ifindex, headroom, tailroom;
unsigned int mtu;
struct net_device *dev; struct net_device *dev;
lock_sock(sk); lock_sock(sk);
...@@ -896,15 +897,23 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr, ...@@ -896,15 +897,23 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr,
cf_sk->sk.sk_state = CAIF_DISCONNECTED; cf_sk->sk.sk_state = CAIF_DISCONNECTED;
goto out; goto out;
} }
dev = dev_get_by_index(sock_net(sk), ifindex);
err = -ENODEV;
rcu_read_lock();
dev = dev_get_by_index_rcu(sock_net(sk), ifindex);
if (!dev) {
rcu_read_unlock();
goto out;
}
cf_sk->headroom = LL_RESERVED_SPACE_EXTRA(dev, headroom); cf_sk->headroom = LL_RESERVED_SPACE_EXTRA(dev, headroom);
mtu = dev->mtu;
rcu_read_unlock();
cf_sk->tailroom = tailroom; cf_sk->tailroom = tailroom;
cf_sk->maxframe = dev->mtu - (headroom + tailroom); cf_sk->maxframe = mtu - (headroom + tailroom);
dev_put(dev);
if (cf_sk->maxframe < 1) { if (cf_sk->maxframe < 1) {
pr_warning("CAIF: %s(): CAIF Interface MTU too small (%d)\n", pr_warning("CAIF: %s(): CAIF Interface MTU too small (%u)\n",
__func__, dev->mtu); __func__, mtu);
err = -ENODEV;
goto out; goto out;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册