6lowpan: Fix null pointer dereference in UDP uncompression function

When a UDP packet gets fragmented, a crash will occur at reassembly time. This is because skb->transport_header is not set during earlier period of fragment reassembly. As a consequence, call to udp_hdr() return NULL and uh (which is NULL) gets dereferenced without much test. Signed-off-by: Tony Cheneau <[email protected]> Signed-off-by: David S. Miller <[email protected]>
rtvt123 · Jul 17, 2012 · d4787a1 · d4787a1
1 parent 6e5928f
commit d4787a1
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c
@@ -314,6 +314,9 @@ lowpan_uncompress_udp_header(struct sk_buff *skb)
 	struct udphdr *uh = udp_hdr(skb);
 	u8 tmp;
 
+	if (!uh)
+		goto err;
+
 	if (lowpan_fetch_skb_u8(skb, &tmp))
 		goto err;