From: Tony Cheneau Date: Wed, 11 Jul 2012 06:51:14 +0000 (+0000) Subject: 6lowpan: Fix null pointer dereference in UDP uncompression function X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=d4787a15432384826a0bed42d189fc2a97dc73ea;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git 6lowpan: Fix null pointer dereference in UDP uncompression function When a UDP packet gets fragmented, a crash will occur at reassembly time. This is because skb->transport_header is not set during earlier period of fragment reassembly. As a consequence, call to udp_hdr() return NULL and uh (which is NULL) gets dereferenced without much test. Signed-off-by: Tony Cheneau Signed-off-by: David S. Miller --- diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c index 6871ec1b30f8..416a54d31fb2 100644 --- a/net/ieee802154/6lowpan.c +++ b/net/ieee802154/6lowpan.c @@ -314,6 +314,9 @@ lowpan_uncompress_udp_header(struct sk_buff *skb) struct udphdr *uh = udp_hdr(skb); u8 tmp; + if (!uh) + goto err; + if (lowpan_fetch_skb_u8(skb, &tmp)) goto err;