In ip6_xmit(), there is an if statement on line 245 to check whether
np is NULL:
if (np)
When np is NULL, it is used on line 251:
ip6_autoflowlabel(net, np)
if (!np->autoflowlabel_set)
Thus, a possible null-pointer dereference may occur.
To fix this bug, np is checked before calling
ip6_autoflowlabel(net,np).
This bug is found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai <baijiaju1...@gmail.com>
---
net/ipv6/ip6_output.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 8e49fd62eea9..07db5ab6e970 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -247,8 +247,10 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb,
struct flowi6 *fl6,
if (hlimit < 0)
hlimit = ip6_dst_hoplimit(dst);
- ip6_flow_hdr(hdr, tclass, ip6_make_flowlabel(net, skb, fl6->flowlabel,
- ip6_autoflowlabel(net, np), fl6));
+ if (np) {
+ ip6_flow_hdr(hdr, tclass, ip6_make_flowlabel(net, skb,
fl6->flowlabel,
+ ip6_autoflowlabel(net, np), fl6));
+ }
hdr->payload_len = htons(seg_len);
hdr->nexthdr = proto;
--
2.17.0
