On Fri, Sep 8, 2017 at 1:46 PM, Oliver Hartkopp <socketcan@xxxxxxxxxxxx> wrote:
>
>
> On 09/08/2017 05:02 PM, Colin King wrote:
>>
>> From: Colin Ian King <colin.king@xxxxxxxxxxxxx>
>>
>> The assignment of net via call sock_net will dereference sk. This
>> is performed before a sanity null check on sk, so there could be
>> a potential null dereference on the sock_net call if sk is null.
>> Fix this by assigning net after the sk null check. Also replace
>> the sk == NULL with the more usual !sk idiom.
>>
>> Detected by CoverityScan CID#1431862 ("Dereference before null check")
>>
>> Fixes: 384317ef4187 ("can: network namespace support for CAN_BCM
>> protocol")
>> Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>
>
>
> Acked-by: Oliver Hartkopp <socketcan@xxxxxxxxxxxx>
I don't see this one queued up in the net or net-next trees. Did it
fall through the cracks or did it get queued up elsewhere? Seems like
it's a good candidate to get into 4.14?
josh
>
>
> Thanks Collin!
>
>
>> ---
>> net/can/bcm.c | 5 +++--
>> 1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/net/can/bcm.c b/net/can/bcm.c
>> index 47a8748d953a..a3791674b8ce 100644
>> --- a/net/can/bcm.c
>> +++ b/net/can/bcm.c
>> @@ -1493,13 +1493,14 @@ static int bcm_init(struct sock *sk)
>> static int bcm_release(struct socket *sock)
>> {
>> struct sock *sk = sock->sk;
>> - struct net *net = sock_net(sk);
>> + struct net *net;
>> struct bcm_sock *bo;
>> struct bcm_op *op, *next;
>> - if (sk == NULL)
>> + if (!sk)
>> return 0;
>> + net = sock_net(sk);
>> bo = bcm_sk(sk);
>> /* remove bcm_ops, timer, rx_unregister(), etc. */
>>
>
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
