summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGen Zhang <blackgod016574@gmail.com>2019-05-24 11:19:46 +0800
committerDavid S. Miller <davem@davemloft.net>2019-05-25 10:59:45 -0700
commit95baa60a0da80a0143e3ddd4d3725758b4513825 (patch)
tree92e64fdc3fa8a299c24ab678fc46ad807cb254b2
parent4097e9d250fb17958c1d9b94538386edd3f20144 (diff)
downloadlinux-95baa60a0da80a0143e3ddd4d3725758b4513825.tar.bz2
ipv6_sockglue: Fix a missing-check bug in ip6_ra_control()
In function ip6_ra_control(), the pointer new_ra is allocated a memory space via kmalloc(). And it is used in the following codes. However, when there is a memory allocation error, kmalloc() fails. Thus null pointer dereference may happen. And it will cause the kernel to crash. Therefore, we should check the return value and handle the error. Signed-off-by: Gen Zhang <blackgod016574@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv6/ipv6_sockglue.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 40f21fef25ff..0a3d035feb61 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -68,6 +68,8 @@ int ip6_ra_control(struct sock *sk, int sel)
return -ENOPROTOOPT;
new_ra = (sel >= 0) ? kmalloc(sizeof(*new_ra), GFP_KERNEL) : NULL;
+ if (sel >= 0 && !new_ra)
+ return -ENOMEM;
write_lock_bh(&ip6_ra_lock);
for (rap = &ip6_ra_chain; (ra = *rap) != NULL; rap = &ra->next) {