net/ipv6/addrconf.c: Check the return value of __in6_dev_get() in addrconf_type_change()

[PATCH v1] net/ipv6/addrconf.c: Check the return value of __in6_dev_get() in addrconf_type_change()

Posted by lily 3 years, 7 months ago

The function __in6_dev_get() could return NULL pointer. This needs to be
checked before used in ipv6_mc_remap() and ipv6_mc_unmap(). Otherwise it
could result in null pointer dereference.
---
 net/ipv6/addrconf.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index b624e3d8c5f0..b5e490fe0bcd 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -3718,6 +3718,9 @@ static void addrconf_type_change(struct net_device *dev, unsigned long event)
 
 	idev = __in6_dev_get(dev);
 
+	if(!idev)
+		return;
+	
 	if (event == NETDEV_POST_TYPE_CHANGE)
 		ipv6_mc_remap(idev);
 	else if (event == NETDEV_PRE_TYPE_CHANGE)
-- 
2.25.1

Re: [PATCH v1] net/ipv6/addrconf.c: Check the return value of __in6_dev_get() in addrconf_type_change()

Posted by Cong Wang 3 years, 7 months ago

On Sat, Aug 20, 2022 at 03:24:34AM -0700, lily wrote:
> The function __in6_dev_get() could return NULL pointer. This needs to be
> checked before used in ipv6_mc_remap() and ipv6_mc_unmap(). Otherwise it
> could result in null pointer dereference.

Its caller already checks it:

3689                 if (idev)
3690                         addrconf_type_change(dev, event);
3691                 break;