From d4787a15432384826a0bed42d189fc2a97dc73ea Mon Sep 17 00:00:00 2001 From: Tony Cheneau Date: Wed, 11 Jul 2012 06:51:14 +0000 Subject: [PATCH] 6lowpan: Fix null pointer dereference in UDP uncompression function When a UDP packet gets fragmented, a crash will occur at reassembly time. This is because skb->transport_header is not set during earlier period of fragment reassembly. As a consequence, call to udp_hdr() return NULL and uh (which is NULL) gets dereferenced without much test. Signed-off-by: Tony Cheneau Signed-off-by: David S. Miller --- net/ieee802154/6lowpan.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c index 6871ec1b30f8..416a54d31fb2 100644 --- a/net/ieee802154/6lowpan.c +++ b/net/ieee802154/6lowpan.c @@ -314,6 +314,9 @@ lowpan_uncompress_udp_header(struct sk_buff *skb) struct udphdr *uh = udp_hdr(skb); u8 tmp; + if (!uh) + goto err; + if (lowpan_fetch_skb_u8(skb, &tmp)) goto err; -- 2.39.5