Commit 0ad92ad03aa444b312bd318b0341011a8be09d13
Committed by
David S. Miller
David S. Miller
1 parent
501e89d3ae
Exists in
master
and in
6 other branches
udp: fix a race in encap_rcv handling
udp_queue_rcv_skb() has a possible race in encap_rcv handling, since this pointer can be changed anytime. We should use ACCESS_ONCE() to close the race. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 1 changed file with 5 additions and 3 deletions Side-by-side Diff
net/ipv4/udp.c
| ... | ... | @@ -1397,6 +1397,8 @@ |
| 1397 | 1397 | nf_reset(skb); |
| 1398 | 1398 | |
| 1399 | 1399 | if (up->encap_type) { |
| 1400 | + int (*encap_rcv)(struct sock *sk, struct sk_buff *skb); | |
| 1401 | + | |
| 1400 | 1402 | /* |
| 1401 | 1403 | * This is an encapsulation socket so pass the skb to |
| 1402 | 1404 | * the socket's udp_encap_rcv() hook. Otherwise, just |
| 1403 | 1405 | |
| ... | ... | @@ -1409,11 +1411,11 @@ |
| 1409 | 1411 | */ |
| 1410 | 1412 | |
| 1411 | 1413 | /* if we're overly short, let UDP handle it */ |
| 1412 | - if (skb->len > sizeof(struct udphdr) && | |
| 1413 | - up->encap_rcv != NULL) { | |
| 1414 | + encap_rcv = ACCESS_ONCE(up->encap_rcv); | |
| 1415 | + if (skb->len > sizeof(struct udphdr) && encap_rcv != NULL) { | |
| 1414 | 1416 | int ret; |
| 1415 | 1417 | |
| 1416 | - ret = (*up->encap_rcv)(sk, skb); | |
| 1418 | + ret = encap_rcv(sk, skb); | |
| 1417 | 1419 | if (ret <= 0) { |
| 1418 | 1420 | UDP_INC_STATS_BH(sock_net(sk), |
| 1419 | 1421 | UDP_MIB_INDATAGRAMS, |