Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp872678pxf;
        Thu, 8 Apr 2021 15:03:29 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzWHt86tKtJOb141Axon9Rq8bsQXxwE5j30dpBpktBCTIGblZ0FdPWqy2DAEe8GUzYaIYu8
X-Received: by 2002:a17:906:1314:: with SMTP id w20mr13141260ejb.438.1617919409077;
        Thu, 08 Apr 2021 15:03:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1617919409; cv=none;
        d=google.com; s=arc-20160816;
        b=eP+V+ot5Im6Xvfj5lZqdb/QR2gEenepAhwOoqilCnStMRuF8PxXl8jKwAMSHSdODDV
         a4seQwn1sNL+F1t9c+dcO4EmddaMmDsOlv+LtktI1iqtNrg0OcVj6igJ4a7L9e71UR8x
         D6IYZnTLGN6AwATLxWoFORTViPBwB4MtumodTQNd6ZVvmWHK0b++lxgW39qV/WNjPtYZ
         v5UOvq3nWZOS4ojblX0iZjkEXMBbPSTv53Ou0iAE6KBNrais7fg4hUQuBvLuFegZ7kv/
         Of5MlB1A12ISKxEfzv+WpexUJURBArBRZFUEANtBfIzAlkwRzPWxLWiTrOD/v+HUXWMg
         n6iA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-disposition:mime-version:message-id
         :subject:cc:to:from:date:dkim-signature;
        bh=1k2oFebJMetFk2MF03n3BhfJ/Z6puGCIo7fh0K3MdcY=;
        b=zXr/U75NyZoi0RF2HjfQku50gMslL/3Xqi15mmX3ks/LH0yZ+ru8vWB2mnnAnU1YSY
         FsoKuimAG+aSZk6hIbCiXSlOCH91qYgVtH9FfJn88it04RknGIFplIDT+aUtxzQ7jYqc
         46jD4UveBUAJARsfnPZ25CrTNhrxHDZFpu3k3UMuFNYVQ5E99X5ZgoOrreZ1iKh610Mg
         HEO5gSqAQZ6snbAfpYbAq4+kDgbkkgm+fMCDA8Dva4W3pN7tvPAmNEnk1q5laDN8b3jn
         eN1snsN/MKuchzvMvbPSNIn8VcG2Fo6jPHo5Y0Noiw89ehvWqNd+4fgNYmCBL1mR/O7m
         EUrQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=PRkaV10c;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id pj11si406721ejb.582.2021.04.08.15.03.06;
        Thu, 08 Apr 2021 15:03:29 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=PRkaV10c;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232696AbhDHWBu (ORCPT <rfc822;linux.sihyeon@gmail.com>
        + 99 others); Thu, 8 Apr 2021 18:01:50 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38540 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232265AbhDHWBt (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 8 Apr 2021 18:01:49 -0400
Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 22F33C061761;
        Thu,  8 Apr 2021 15:01:37 -0700 (PDT)
Received: by mail-wm1-x335.google.com with SMTP id a76so1928593wme.0;
        Thu, 08 Apr 2021 15:01:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:mime-version:content-disposition;
        bh=1k2oFebJMetFk2MF03n3BhfJ/Z6puGCIo7fh0K3MdcY=;
        b=PRkaV10clS+sLFEZRt0+mqBC/zm4SqmmBE9Gqa81Fz0xckmRM+MJuOI2M525VQlPg1
         D5ThmRBHKWpYoIIiGkgzco8KJcvyMvcQhWi8lgTawXnBb9X4vbWGi+Y9vf8atwhaj5Ce
         oFAcr1MFJG5lO0AX4iRggn7HIDdTiy8mGxoDh05Fc4HUGzghplJf7iXLMSwakD6v8iUk
         B9EVN7msrL3jru4b556NUvx41K9Xfo0LdNBQiwJ9avVKkMZyfu4+jAQHMS+EOWDLKzKu
         I4Oiud+uTZ6fvFUCUzU5NhlcOcMRebMxa6lIohFsp8fzpu80DzrK6aSyMO1SHYKujZY1
         6DUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version
         :content-disposition;
        bh=1k2oFebJMetFk2MF03n3BhfJ/Z6puGCIo7fh0K3MdcY=;
        b=ox0DLYGIulOlNlVs3qBUO4xkNyO+l+LckU3+jFFFV2nRF8w0zCYekGLkZA0f9KfTIy
         yizGVZQWzd8ZRJqYNmoU2XF90D97b6lRi0SDX51uwJ+Wfb4Gud3PY1vkfi1QojbJzIji
         X1+lU/s/POy8zsBKXYbLp3L+8x0en5rMrYMQY6Bu5+GtWtbx9wPxYvWhiIrcPxVKhpiZ
         NMvQ4JX6RgQIelw3WlFRVk7I7n5xseb1lldg63wVkAdgdgg+auTLM/04IllZvJb8va4s
         nO31ZmQNmr/Y/sS/hDEOZtkGjfVFSFPHp1k9mZUql9QAdBW5WDh/5gjLbthP9u/mWS0J
         k5lw==
X-Gm-Message-State: AOAM530IGM9gC3WYkeaykLvERzyoSUrvxwVQ+EcojL74Qnk47y7CZPmw
        EClZvTUsC+DJAn5VcNaDt0E=
X-Received: by 2002:a1c:4c0c:: with SMTP id z12mr10800685wmf.38.1617919295698;
        Thu, 08 Apr 2021 15:01:35 -0700 (PDT)
Received: from LEGION ([39.46.7.73])
        by smtp.gmail.com with ESMTPSA id o7sm1041687wrs.16.2021.04.08.15.01.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 08 Apr 2021 15:01:35 -0700 (PDT)
Date:   Fri, 9 Apr 2021 03:01:29 +0500
From:   Muhammad Usama Anjum <musamaanjum@gmail.com>
To:     "David S. Miller" <davem@davemloft.net>,
        Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
        David Ahern <dsahern@kernel.org>,
        Jakub Kicinski <kuba@kernel.org>,
        "open list:NETWORKING [IPv4/IPv6]" <netdev@vger.kernel.org>,
        open list <linux-kernel@vger.kernel.org>
Cc:     musamaanjum@gmail.com, kernel-janitors@vger.kernel.org,
        colin.king@canonical.com, dan.carpenter@oracle.com,
        stable@vger.kernel.org
Subject: [PATCH] net: ipv6: check for validity before dereferencing
 cfg->fc_nlinfo.nlh
Message-ID: <20210408220129.GA3111136@LEGION>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

nlh is being checked for validtity two times when it is dereferenced in
this function. Check for validity again when updating the flags through
nlh pointer to make the dereferencing safe.

CC: <stable@vger.kernel.org>
Addresses-Coverity: ("NULL pointer dereference")
Signed-off-by: Muhammad Usama Anjum <musamaanjum@gmail.com>
---
 net/ipv6/route.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 28801ae80548..a22822bdbf39 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -5206,9 +5206,11 @@ static int ip6_route_multipath_add(struct fib6_config *cfg,
 		 * nexthops have been replaced by first new, the rest should
 		 * be added to it.
 		 */
-		cfg->fc_nlinfo.nlh->nlmsg_flags &= ~(NLM_F_EXCL |
-						     NLM_F_REPLACE);
-		cfg->fc_nlinfo.nlh->nlmsg_flags |= NLM_F_CREATE;
+		if (cfg->fc_nlinfo.nlh) {
+			cfg->fc_nlinfo.nlh->nlmsg_flags &= ~(NLM_F_EXCL |
+							     NLM_F_REPLACE);
+			cfg->fc_nlinfo.nlh->nlmsg_flags |= NLM_F_CREATE;
+		}
 		nhn++;
 	}
 
-- 
2.25.1