On Wed, Mar 13, 2024 at 2:23 PM Mikhail Lobanov <m.lobanov@xxxxxxxxxxxx> wrote:
>
> To avoid the problem of dereferencing the null pointer in the x25_accept()
> function, you need to add an additional check that the pointer skb is
> not equal to NULL.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Mikhail Lobanov <m.lobanov@xxxxxxxxxxxx>
> ---
> net/x25/af_x25.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
> index f7a7c7798c3b..91bc5994cef6 100644
> --- a/net/x25/af_x25.c
> +++ b/net/x25/af_x25.c
> @@ -896,7 +896,7 @@ static int x25_accept(struct socket *sock, struct socket *newsock, int flags,
> goto out2;
> skb = skb_dequeue(&sk->sk_receive_queue);
skb can not be NULL at this point, we hold the socket lock.
Otherwise the bug would be in x25_wait_for_data()
> rc = -EINVAL;
> - if (!skb->sk)
> + if (!skb || !skb->sk)
> goto out2;
> newsk = skb->sk;
> sock_graft(newsk, newsock);
> --
> 2.43.0
>
