ipv6: Fix NULL pointer dereference with time-wait sockets

Commit b2f5e7cd3dee2ed721bf0675e1a1ddebb849aee6 (ipv6: Fix conflict resolutions during ipv6 binding) introduced a regression where time-wait sockets were not treated correctly. This resulted in the following: BUG: unable to handle kernel NULL pointer dereference at 0000000000000062 IP: [<ffffffff805d7d61>] ipv4_rcv_saddr_equal+0x61/0x70 ... Call Trace: [<ffffffffa033847b>] ipv6_rcv_saddr_equal+0x1bb/0x250 [ipv6] [<ffffffffa03505a8>] inet6_csk_bind_conflict+0x88/0xd0 [ipv6] [<ffffffff805bb18e>] inet_csk_get_port+0x1ee/0x400 [<ffffffffa0319b7f>] inet6_bind+0x1cf/0x3a0 [ipv6] [<ffffffff8056d17c>] ? sockfd_lookup_light+0x3c/0xd0 [<ffffffff8056ed49>] sys_bind+0x89/0x100 [<ffffffff80613ea2>] ? trace_hardirqs_on_thunk+0x3a/0x3c [<ffffffff8020bf9b>] system_call_fastpath+0x16/0x1b Tested-by: Brian Haley <brian.haley@hp.com> Tested-by: Ed Tomlinson <edt@aei.ca> Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>

ipv6: Fix NULL pointer dereference with time-wait sockets
Commit b2f5e7cd3dee2ed721bf0675e1a1ddebb849aee6 (ipv6: Fix conflict resolutions during ipv6 binding) introduced a regression where time-wait sockets were not treated correctly. This resulted in the following: BUG: unable to handle kernel NULL pointer dereference at 0000000000000062 IP: [<ffffffff805d7d61>] ipv4_rcv_saddr_equal+0x61/0x70 ... Call Trace: [<ffffffffa033847b>] ipv6_rcv_saddr_equal+0x1bb/0x250 [ipv6] [<ffffffffa03505a8>] inet6_csk_bind_conflict+0x88/0xd0 [ipv6] [<ffffffff805bb18e>] inet_csk_get_port+0x1ee/0x400 [<ffffffffa0319b7f>] inet6_bind+0x1cf/0x3a0 [ipv6] [<ffffffff8056d17c>] ? sockfd_lookup_light+0x3c/0xd0 [<ffffffff8056ed49>] sys_bind+0x89/0x100 [<ffffffff80613ea2>] ? trace_hardirqs_on_thunk+0x3a/0x3c [<ffffffff8020bf9b>] system_call_fastpath+0x16/0x1b Tested-by: Brian Haley <brian.haley@hp.com> Tested-by: Ed Tomlinson <edt@aei.ca> Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Vlad Yasevich · David S. Miller
1 parent 48f6e89908
Showing 3 changed files with 6 additions and 5 deletions Side-by-side Diff
include/net/udp.h
net/ipv4/udp.c
net/ipv6/udp.c
@@ -124,8 +124,6 @@
 	sk_common_release(sk);
 }
  
-extern int	ipv4_rcv_saddr_equal(const struct sock *sk1,
-				    const struct sock *sk2);
 extern int	udp_lib_get_port(struct sock *sk, unsigned short snum,
 		int (*)(const struct sock*,const struct sock*));
  
@@ -222,7 +222,7 @@
 	return error;
 }
  
-int ipv4_rcv_saddr_equal(const struct sock *sk1, const struct sock *sk2)
+static int ipv4_rcv_saddr_equal(const struct sock *sk1, const struct sock *sk2)
 {
 	struct inet_sock *inet1 = inet_sk(sk1), *inet2 = inet_sk(sk2);
  
@@ -1823,7 +1823,6 @@
 EXPORT_SYMBOL(udp_lib_setsockopt);
 EXPORT_SYMBOL(udp_poll);
 EXPORT_SYMBOL(udp_lib_get_port);
-EXPORT_SYMBOL(ipv4_rcv_saddr_equal);
  
 #ifdef CONFIG_PROC_FS
 EXPORT_SYMBOL(udp_proc_register);
@@ -53,6 +53,8 @@
 {
 	const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
 	const struct in6_addr *sk2_rcv_saddr6 = inet6_rcv_saddr(sk2);
+	__be32 sk_rcv_saddr = inet_sk(sk)->rcv_saddr;
+	__be32 sk2_rcv_saddr = inet_rcv_saddr(sk2);
 	int sk_ipv6only = ipv6_only_sock(sk);
 	int sk2_ipv6only = inet_v6_ipv6only(sk2);
 	int addr_type = ipv6_addr_type(sk_rcv_saddr6);
@@ -60,7 +62,9 @@
  
 	/* if both are mapped, treat as IPv4 */
 	if (addr_type == IPV6_ADDR_MAPPED && addr_type2 == IPV6_ADDR_MAPPED)
-		return ipv4_rcv_saddr_equal(sk, sk2);
+		return (!sk2_ipv6only &&
+			(!sk_rcv_saddr || !sk2_rcv_saddr ||
+			  sk_rcv_saddr == sk2_rcv_saddr));
  
 	if (addr_type2 == IPV6_ADDR_ANY &&
 	    !(sk2_ipv6only && addr_type == IPV6_ADDR_MAPPED))
...	...	@@ -124,8 +124,6 @@
124	124	sk_common_release(sk);
125	125	}
126	126
127		-extern int ipv4_rcv_saddr_equal(const struct sock *sk1,
128		- const struct sock *sk2);
129	127	extern int udp_lib_get_port(struct sock *sk, unsigned short snum,
130	128	int ()(const struct sock,const struct sock*));
131	129
...	...	@@ -222,7 +222,7 @@
222	222	return error;
223	223	}
224	224
225		-int ipv4_rcv_saddr_equal(const struct sock sk1, const struct sock sk2)
	225	+static int ipv4_rcv_saddr_equal(const struct sock sk1, const struct sock sk2)
226	226	{
227	227	struct inet_sock inet1 = inet_sk(sk1), inet2 = inet_sk(sk2);
228	228
...	...	@@ -1823,7 +1823,6 @@
1823	1823	EXPORT_SYMBOL(udp_lib_setsockopt);
1824	1824	EXPORT_SYMBOL(udp_poll);
1825	1825	EXPORT_SYMBOL(udp_lib_get_port);
1826		-EXPORT_SYMBOL(ipv4_rcv_saddr_equal);
1827	1826
1828	1827	#ifdef CONFIG_PROC_FS
1829	1828	EXPORT_SYMBOL(udp_proc_register);
...	...	@@ -53,6 +53,8 @@
53	53	{
54	54	const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
55	55	const struct in6_addr *sk2_rcv_saddr6 = inet6_rcv_saddr(sk2);
	56	+ __be32 sk_rcv_saddr = inet_sk(sk)->rcv_saddr;
	57	+ __be32 sk2_rcv_saddr = inet_rcv_saddr(sk2);
56	58	int sk_ipv6only = ipv6_only_sock(sk);
57	59	int sk2_ipv6only = inet_v6_ipv6only(sk2);
58	60	int addr_type = ipv6_addr_type(sk_rcv_saddr6);
...	...	@@ -60,7 +62,9 @@
60	62
61	63	/* if both are mapped, treat as IPv4 */
62	64	if (addr_type == IPV6_ADDR_MAPPED && addr_type2 == IPV6_ADDR_MAPPED)
63		- return ipv4_rcv_saddr_equal(sk, sk2);
	65	+ return (!sk2_ipv6only &&
	66	+ (!sk_rcv_saddr \|\| !sk2_rcv_saddr \|\|
	67	+ sk_rcv_saddr == sk2_rcv_saddr));
64	68
65	69	if (addr_type2 == IPV6_ADDR_ANY &&
66	70	!(sk2_ipv6only && addr_type == IPV6_ADDR_MAPPED))