Le 26/07/2019 à 04:25, Jia-Ju Bai a écrit : > In inet_csk_rebuild_route(), rt is assigned to NULL on line 1071. > On line 1076, rt is used: > return &rt->dst; > Thus, a possible null-pointer dereference may occur.> > To fix this bug, rt is checked before being used. > > This bug is found by a static analysis tool STCheck written by us. > > Signed-off-by: Jia-Ju Bai <[email protected]> > --- > net/ipv4/inet_connection_sock.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c > index f5c163d4771b..27d9d80f3401 100644 > --- a/net/ipv4/inet_connection_sock.c > +++ b/net/ipv4/inet_connection_sock.c > @@ -1073,7 +1073,10 @@ static struct dst_entry *inet_csk_rebuild_route(struct > sock *sk, struct flowi *f > sk_setup_caps(sk, &rt->dst); > rcu_read_unlock(); > > - return &rt->dst; > + if (rt) > + return &rt->dst; > + else > + return NULL; Hmm, ->dst is the first field (and that will never change), thus &rt->dst is NULL if rt is NULL. I don't think there is a problem with the current code.
Regards, Nicolas
