In ip6_xmit(), there is an if statement on line 245 to check whether np is NULL: if (np)
When np is NULL, it is used on line 251: ip6_autoflowlabel(net, np) if (!np->autoflowlabel_set) Thus, a possible null-pointer dereference may occur. To fix this bug, np is checked before calling ip6_autoflowlabel(net,np). This bug is found by a static analysis tool STCheck written by us. Signed-off-by: Jia-Ju Bai <baijiaju1...@gmail.com> --- net/ipv6/ip6_output.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 8e49fd62eea9..07db5ab6e970 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -247,8 +247,10 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6, if (hlimit < 0) hlimit = ip6_dst_hoplimit(dst); - ip6_flow_hdr(hdr, tclass, ip6_make_flowlabel(net, skb, fl6->flowlabel, - ip6_autoflowlabel(net, np), fl6)); + if (np) { + ip6_flow_hdr(hdr, tclass, ip6_make_flowlabel(net, skb, fl6->flowlabel, + ip6_autoflowlabel(net, np), fl6)); + } hdr->payload_len = htons(seg_len); hdr->nexthdr = proto; -- 2.17.0