Skip to content

Commit

Permalink
amt: fix possible null-ptr-deref in amt_rcv()
Browse files Browse the repository at this point in the history 
When amt interface receives amt message, it tries to obtain amt private
data from sock.
If there is no amt private data, it frees an skb immediately.
After kfree_skb(), it increases the rx_dropped stats.
But in order to use rx_dropped, amt private data is needed.
So, it makes amt_rcv() to do not increase rx_dropped stats when it can
not obtain amt private data.

Reported-by: kernel test robot <[email protected]>
Reported-by: Dan Carpenter <[email protected]>
Fixes: 1a1a0e8 ("amt: fix possible memory leak in amt_rcv()")
Signed-off-by: Taehee Yoo <[email protected]>
Signed-off-by: Jakub Kicinski <[email protected]>
  • Loading branch information
@TaeheeYoo @kuba-moo
TaeheeYoo authored and kuba-moo committed Jun 6, 2022
1 parent f55a070 commit d16207f
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion drivers/net/amt.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2698,7 +2698,8 @@ static int amt_rcv(struct sock *sk, struct sk_buff *skb)
amt = rcu_dereference_sk_user_data(sk);
if (!amt) {
err = true;
goto drop;
kfree_skb(skb);
goto out;
}

skb->dev = amt->dev;
Expand Down

0 comments on commit d16207f

Please sign in to comment.