xfrm: check for a vaild skb in xfrm_policy_queue_process
authorSteffen Klassert <steffen.klassert@secunet.com>
Tue, 8 Oct 2013 08:49:51 +0000 (10:49 +0200)
committerSteffen Klassert <steffen.klassert@secunet.com>
Tue, 8 Oct 2013 08:49:51 +0000 (10:49 +0200)
We might dreference a NULL pointer if the hold_queue is empty,
so add a check to avoid this.

Bug was introduced with git commit a0073fe18 ("xfrm: Add a state
resolution packet queue")

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
net/xfrm/xfrm_policy.c

index 5f9be976770e3694b6dce7b50aef09040e4da6c0..76e1873811d4cac098cd4d563e865e847997a4a4 100644 (file)
@@ -1772,6 +1772,10 @@ static void xfrm_policy_queue_process(unsigned long arg)
 
        spin_lock(&pq->hold_queue.lock);
        skb = skb_peek(&pq->hold_queue);
+       if (!skb) {
+               spin_unlock(&pq->hold_queue.lock);
+               goto out;
+       }
        dst = skb_dst(skb);
        sk = skb->sk;
        xfrm_decode_session(skb, &fl, dst->ops->family);