6lowpan: Fix null pointer dereference in UDP uncompression function

When a UDP packet gets fragmented, a crash will occur at reassembly time.
This is because skb->transport_header is not set during earlier period of fragment reassembly.
As a consequence, call to udp_hdr() return NULL and uh (which is NULL) gets
dereferenced without much test.

Signed-off-by: Tony Cheneau <tony.cheneau@amnesiak.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Tony Cheneau 2012-07-11 06:51:14 +00:00 committed by David S. Miller
parent 6e5928f6df
commit d4787a1543
1 changed files with 3 additions and 0 deletions

View File

@ -314,6 +314,9 @@ lowpan_uncompress_udp_header(struct sk_buff *skb)
struct udphdr *uh = udp_hdr(skb); struct udphdr *uh = udp_hdr(skb);
u8 tmp; u8 tmp;
if (!uh)
goto err;
if (lowpan_fetch_skb_u8(skb, &tmp)) if (lowpan_fetch_skb_u8(skb, &tmp))
goto err; goto err;