summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2006-12-05 22:46:13 +0100
committerDavid S. Miller <davem@sunset.davemloft.net>2006-12-07 03:39:07 +0100
commit5c804bfdcca2593422dd6edc2d7db4dba645543c (patch)
treeb8b0993a2855372b037f6bbef2f4b67908b16ce8
parent[NETFILTER]: bridge netfilter: deal with martians correctly (diff)
downloadlinux-5c804bfdcca2593422dd6edc2d7db4dba645543c.tar.xz
linux-5c804bfdcca2593422dd6edc2d7db4dba645543c.zip
[NET_SCHED]: cls_fw: fix NULL pointer dereference
When the first fw classifier is initialized, there is a small window between the ->init() and ->change() calls, during which the classifier is active but not entirely set up and tp->root is still NULL (->init() does nothing). When a packet is queued during this window a NULL pointer dereference occurs in fw_classify() when trying to dereference head->mask; Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/sched/cls_fw.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
index f59a2c4aa039..c797d6ada7de 100644
--- a/net/sched/cls_fw.c
+++ b/net/sched/cls_fw.c
@@ -101,9 +101,10 @@ static int fw_classify(struct sk_buff *skb, struct tcf_proto *tp,
struct fw_head *head = (struct fw_head*)tp->root;
struct fw_filter *f;
int r;
- u32 id = skb->mark & head->mask;
+ u32 id = skb->mark;
if (head != NULL) {
+ id &= head->mask;
for (f=head->ht[fw_hash(id)]; f; f=f->next) {
if (f->id == id) {
*res = f->res;