Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp11947382ybi;
        Fri, 26 Jul 2019 02:16:51 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxoSaxpTRyojUM20Epj4yJ3UDdnSHR2juKxWKkgbRyMQtLa6WVU8/vrYXGlgUZNJTuWnk3j
X-Received: by 2002:a65:614a:: with SMTP id o10mr88653736pgv.407.1564132611101;
        Fri, 26 Jul 2019 02:16:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1564132611; cv=none;
        d=google.com; s=arc-20160816;
        b=XsdsdhE92wqkOfFd9KpK0aQN0nR8W/SKkB58/AaN3X/Mslqk62qhseJGp9HCIX4L2w
         wyy70wZHbBEaAW9OlXzCbhfnP99ziQxI+TwKZNQjJ8tm1QJmvzivOxxG1WFnEbYnq9K6
         kLHTXZDZZZM73H5eGYYL3vUnJFSjvvjNLK+e47dZo2PEti9iq1qrQ9iXFY6pVeLrcQWJ
         u2Qf5QxDaEhUJrFtU5ffKwCmy7894sv4CzpVurzPL+brgGrquKw+eAORbHPY8jYP4Ur3
         VK6rLrwj/uWyp+Kc3UONzwVRxVYRw373WYtBlMlLvUglzPHF6wKIkja4w3gQQNaqj8LE
         rAKA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:organization:from:references:cc:to:subject:reply-to
         :dkim-signature;
        bh=9r9uyuQRxfZKsoTfi+2znRv6sD15zYzQ2hWxzsI8gkU=;
        b=y024QljFsT5jcNFb8IL3u5YI3zViMtc3j1uVHLVK6ZXC5yHRREdvqsuIX6kQItS7yF
         ecBAR+1/StAbGBZDIP7AFKiKeauHTGDQMS+zvVtdxbgxEseSQJHBxmtUpdCLzmXwqS26
         tQ+OizAwTparp1lwDy5TfqOM6+uSoGsY0qQQqJVGX46bEVrF3e/FEd5jmDS08uarlBck
         wRxrfv9TwPuzq0C2NgkxPeUQrZ32ZG8lCxQZttud38/j9Ws0W7Wyn1sAiLozqRowS7Ng
         x++HPQDFO+8nkJTINMGYjw/yg9kV3U3ZMxXzgNI59Ghg77Kna9k9lJ1JqqgcGnNJkL0l
         uVkA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@6wind.com header.s=google header.b=FH1O0W8U;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h6si20181117pgc.202.2019.07.26.02.16.35;
        Fri, 26 Jul 2019 02:16:51 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@6wind.com header.s=google header.b=FH1O0W8U;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725842AbfGZJP7 (ORCPT <rfc822;ttoukan.linux@gmail.com>
        + 99 others); Fri, 26 Jul 2019 05:15:59 -0400
Received: from mail-wr1-f67.google.com ([209.85.221.67]:33015 "EHLO
        mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725872AbfGZJP7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 26 Jul 2019 05:15:59 -0400
Received: by mail-wr1-f67.google.com with SMTP id n9so53731112wru.0
        for <linux-kernel@vger.kernel.org>; Fri, 26 Jul 2019 02:15:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=6wind.com; s=google;
        h=reply-to:subject:to:cc:references:from:organization:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=9r9uyuQRxfZKsoTfi+2znRv6sD15zYzQ2hWxzsI8gkU=;
        b=FH1O0W8U9KDswyjDE9zBBKyiW+8HqfR5iTgIt4qJ9Y3AGO+xa5LRQKGEPJ0seda+4v
         HI+s51qtGlL3qrvNl8cMfjrZNb57Bj0BioHtSus10VSR5cQsEcQA5S3iwfpwBIlvoYm3
         P3U8b4ZpT3T8QnLmGboYhMHszdu3Y9s3gwcSmPgolImcipQBpTkidyJNeMXy9o+8msfI
         mgAGuPxuMU5sRLjLUes9hrVEkUssc0vwOw4IIhoV1t5MNgV4H8CF4e8Pf/LXRUmjRt0w
         ozpM2Q1hmcRGR2fwAJ7Qqub+f1zyeq7jr8/GmNhA9Pa3kOSKbxN5m0YE9iw04Iv7La7J
         sYZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:reply-to:subject:to:cc:references:from
         :organization:message-id:date:user-agent:mime-version:in-reply-to
         :content-language:content-transfer-encoding;
        bh=9r9uyuQRxfZKsoTfi+2znRv6sD15zYzQ2hWxzsI8gkU=;
        b=c4roqAgWYPjWtGc9V7YJK+UMnY0a6Kh2FVK6f8LkjF48Ds/DgFaSvAcSjmJmjx/7BZ
         e6Bd9cL6wvHPT2diVE2xGeE9EY8hD/3zPq3UMqnOjEwCH8g/8dLJQEIC5YzNAAZMLIne
         VdhngJfZnMbaLP1VKlUcVq3cGyqlDCrRj6hHIec3HCHh7kohrqJdbuqwcj4W8ULLYy28
         SPzr/jkkBGaRrE1KGzgjtstUKhuj8E9j05ICoMSVh+G6AylaM1VptQMK6zuBULHUd6i/
         2ArVBbNfyBnbX9zTLPYFPzohals/opEYd3k8g7pSJbxp7ljGAZv6K8UVGC5pBxs/ST6E
         zStA==
X-Gm-Message-State: APjAAAV/i9yrE0BlhHzFnna59HL6V6LUtE8Oi2J3uj+IffxlNHxZFTL5
        gmhhF1jRdR3YtlnI52hmnP8RSG0F1fY=
X-Received: by 2002:a5d:4206:: with SMTP id n6mr33329547wrq.110.1564132556971;
        Fri, 26 Jul 2019 02:15:56 -0700 (PDT)
Received: from ?IPv6:2a01:e35:8b63:dc30:9d:caad:2868:a68c? ([2a01:e35:8b63:dc30:9d:caad:2868:a68c])
        by smtp.gmail.com with ESMTPSA id f12sm57268364wrg.5.2019.07.26.02.15.56
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 26 Jul 2019 02:15:56 -0700 (PDT)
Reply-To: nicolas.dichtel@6wind.com
Subject: Re: [PATCH 1/2] net: ipv4: Fix a possible null-pointer dereference in
 inet_csk_rebuild_route()
To:     Jia-Ju Bai <baijiaju1990@gmail.com>, davem@davemloft.net,
        kuznet@ms2.inr.ac.ru, yoshfuji@linux-ipv6.org
Cc:     netdev@vger.kernel.org, linux-kernel@vger.kernel.org
References: <20190726022534.24994-1-baijiaju1990@gmail.com>
From:   Nicolas Dichtel <nicolas.dichtel@6wind.com>
Organization: 6WIND
Message-ID: <64986d3e-3ee8-896f-0261-3d9cc595ba11@6wind.com>
Date:   Fri, 26 Jul 2019 11:15:55 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <20190726022534.24994-1-baijiaju1990@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Le 26/07/2019 à 04:25, Jia-Ju Bai a écrit :
> In inet_csk_rebuild_route(), rt is assigned to NULL on line 1071.
> On line 1076, rt is used:
>     return &rt->dst;
> Thus, a possible null-pointer dereference may occur.>
> To fix this bug, rt is checked before being used.
> 
> This bug is found by a static analysis tool STCheck written by us.
> 
> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
> ---
>  net/ipv4/inet_connection_sock.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
> index f5c163d4771b..27d9d80f3401 100644
> --- a/net/ipv4/inet_connection_sock.c
> +++ b/net/ipv4/inet_connection_sock.c
> @@ -1073,7 +1073,10 @@ static struct dst_entry *inet_csk_rebuild_route(struct sock *sk, struct flowi *f
>  		sk_setup_caps(sk, &rt->dst);
>  	rcu_read_unlock();
>  
> -	return &rt->dst;
> +	if (rt)
> +		return &rt->dst;
> +	else
> +		return NULL;
Hmm, ->dst is the first field (and that will never change), thus &rt->dst is
NULL if rt is NULL.
I don't think there is a problem with the current code.


Regards,
Nicolas