nagai/kernel
3
0
Fork 0
forked from mirrors/linux
Code Pull requests Activity

tipc: Fix NULL pointer dereference in __tipc_sendstream()

Browse source 
tipc_sendstream() may send zero length packet, then tipc_msg_append()
do not alloc skb, skb_peek_tail() will get NULL, msg_set_ack_required
will trigger NULL pointer dereference.

Reported-by: syzbot+8eac6d030e7807c21d32@syzkaller.appspotmail.com
Fixes: 0a3e060f34 ("tipc: add test for Nagle algorithm effectiveness")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
YueHaibing 2020-05-28 22:34:07 +08:00 committed by David S. Miller
parent eae9d3c016
commit 4c21daae3d
1 changed files with 6 additions and 2 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

8
net/tipc/socket.c
View file

@ -1588,8 +1588,12 @@ static int __tipc_sendstream(struct socket *sock, struct msghdr *m, size_t dlen)
tsk->pkt_cnt += skb_queue_len(txq);
} else {
skb = skb_peek_tail(txq);
msg_set_ack_required(buf_msg(skb));
tsk->expect_ack = true;
if (skb) {
msg_set_ack_required(buf_msg(skb));
tsk->expect_ack = true;
} else {
tsk->expect_ack = false;
}
tsk->msg_acc = 0;
tsk->pkt_cnt = 0;
}