2014-06-11 23:40:33

by Linus Lüssing

[permalink] [raw]
Subject: [PATCH 0/2 net-next] bridge: fix bugs introduced by last multicast patchset

Once my last patchset got applied, I got slapped by an automatic smatch
and build bot. Here are two patches fixing the according issues, a potential
null pointer dereference and a compile error when compiling without IPv6.

[PATCH 1/2] is probably not the ideal solution - the assignment of the
group and max_delay is still a mess and has subtle differences between
IGMPv2, IGMPv3, MLDv1 and MLDv2. That should probably be fixed $later.
But for now, I think the easier fix might be better, restoring the
behaviour before my "adhere to querier mechanism" patch and therefore
keeping things bisect'able.

Cheers, Linus


2014-06-11 23:40:42

by Linus Lüssing

[permalink] [raw]
Subject: [PATCH 1/2] bridge: fix smatch warning / potential null pointer dereference

"New smatch warnings:
net/bridge/br_multicast.c:1368 br_ip6_multicast_query() error:
we previously assumed 'group' could be null (see line 1349)"

In the rare (sort of broken) case of a query having a Maximum
Response Delay of zero, we could create a potential null pointer
dereference.

Fixing this by skipping the multicast specific MLD Query parsing again
if no multicast group address is available.

Introduced by dc4eb53a996a78bfb8ea07b47423ff5a3aadc362
("bridge: adhere to querier election mechanism specified by RFCs")

Reported-by: Dan Carpenter <[email protected]>
Signed-off-by: Linus Lüssing <[email protected]>
---
net/bridge/br_multicast.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index cd3cf39..876e5fb 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -1373,6 +1373,8 @@ static int br_ip6_multicast_query(struct net_bridge *br,
br_multicast_query_received(br, port, &br->ip6_other_query,
&saddr, max_delay);
goto out;
+ } else if (!group) {
+ goto out;
}

mp = br_mdb_ip6_get(mlock_dereference(br->mdb, br), group, vid);
--
1.7.10.4

2014-06-11 23:40:46

by Linus Lüssing

[permalink] [raw]
Subject: [PATCH 2/2] bridge: fix compile error when compiling without IPv6 support

Some fields in "struct net_bridge" aren't available when compiling the
kernel without IPv6 support. Therefore adding a check/macro to skip the
complaining code sections in that case.

Introduced by 2cd4143192e8c60f66cb32c3a30c76d0470a372d
("bridge: memorize and export selected IGMP/MLD querier port")

Reported-by: kbuild test robot <[email protected]>
Signed-off-by: Linus Lüssing <[email protected]>
---
net/bridge/br_multicast.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 876e5fb..abfa0b65 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -2246,11 +2246,13 @@ bool br_multicast_has_querier_adjacent(struct net_device *dev, int proto)
rcu_dereference(br->ip4_querier.port) == port)
goto unlock;
break;
+#if IS_ENABLED(CONFIG_IPV6)
case ETH_P_IPV6:
if (!timer_pending(&br->ip6_other_query.timer) ||
rcu_dereference(br->ip6_querier.port) == port)
goto unlock;
break;
+#endif
default:
goto unlock;
}
--
1.7.10.4

2014-06-12 18:00:45

by David Miller

[permalink] [raw]
Subject: Re: [PATCH 0/2 net-next] bridge: fix bugs introduced by last multicast patchset

From: Linus L?ssing <[email protected]>
Date: Thu, 12 Jun 2014 01:41:22 +0200

> Once my last patchset got applied, I got slapped by an automatic smatch
> and build bot. Here are two patches fixing the according issues, a potential
> null pointer dereference and a compile error when compiling without IPv6.

Series applied, thanks.