aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYOSHIFUJI Hideaki/吉藤英明 <hideaki.yoshifuji@miraclelinux.com>2015-07-13 23:28:10 +0900
committerLorenzo Colitti <lorenzo@google.com>2015-09-30 16:34:12 +0900
commitbb6b3d1230e2907273b4ec52364d157667325a12 (patch)
tree53da5ead3537e248680b24a28a261a856c79a7f0
parent976f2de217ce1755f6fd49531a2fc93be4a57ae2 (diff)
downloadlinux-linaro-stable-bb6b3d1230e2907273b4ec52364d157667325a12.tar.gz
ipv6: Fix finding best source address in ipv6_dev_get_saddr().
Commit 9131f3de2 ("ipv6: Do not iterate over all interfaces when finding source address on specific interface.") did not properly update best source address available. Plus, it introduced possible NULL pointer dereference. Bug was reported by Erik Kline <ek@google.com>. Based on patch proposed by Hajime Tazaki <thehajime@gmail.com>. Fixes: 9131f3de24db4dc12199aede7d931e6703e97f3b ("ipv6: Do not iterate over all interfaces when finding source address on specific interface.") Signed-off-by: YOSHIFUJI Hideaki <hideaki.yoshifuji@miraclelinux.com> Acked-by: Hajime Tazaki <thehajime@gmail.com> Acked-by: Erik Kline <ek@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv6/addrconf.c30
1 files changed, 18 insertions, 12 deletions
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 737153306d06..1600cfd36b26 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1345,14 +1345,15 @@ out:
return ret;
}
-static void __ipv6_dev_get_saddr(struct net *net,
- struct ipv6_saddr_dst *dst,
- unsigned int prefs,
- const struct in6_addr *saddr,
- struct inet6_dev *idev,
- struct ipv6_saddr_score *scores)
+static int __ipv6_dev_get_saddr(struct net *net,
+ struct ipv6_saddr_dst *dst,
+ unsigned int prefs,
+ const struct in6_addr *saddr,
+ struct inet6_dev *idev,
+ struct ipv6_saddr_score *scores,
+ int hiscore_idx)
{
- struct ipv6_saddr_score *score = &scores[0], *hiscore = &scores[1];
+ struct ipv6_saddr_score *score = &scores[1 - hiscore_idx], *hiscore = &scores[hiscore_idx];
read_lock_bh(&idev->lock);
list_for_each_entry(score->ifa, &idev->addr_list, if_list) {
@@ -1411,6 +1412,7 @@ static void __ipv6_dev_get_saddr(struct net *net,
in6_ifa_hold(score->ifa);
swap(hiscore, score);
+ hiscore_idx = 1 - hiscore_idx;
/* restore our iterator */
score->ifa = hiscore->ifa;
@@ -1421,18 +1423,20 @@ static void __ipv6_dev_get_saddr(struct net *net,
}
out:
read_unlock_bh(&idev->lock);
+ return hiscore_idx;
}
int ipv6_dev_get_saddr(struct net *net, const struct net_device *dst_dev,
const struct in6_addr *daddr, unsigned int prefs,
struct in6_addr *saddr)
{
- struct ipv6_saddr_score scores[2], *hiscore = &scores[1];
+ struct ipv6_saddr_score scores[2], *hiscore;
struct ipv6_saddr_dst dst;
struct inet6_dev *idev;
struct net_device *dev;
int dst_type;
bool use_oif_addr = false;
+ int hiscore_idx = 0;
dst_type = __ipv6_addr_type(daddr);
dst.addr = daddr;
@@ -1441,8 +1445,8 @@ int ipv6_dev_get_saddr(struct net *net, const struct net_device *dst_dev,
dst.label = ipv6_addr_label(net, daddr, dst_type, dst.ifindex);
dst.prefs = prefs;
- hiscore->rule = -1;
- hiscore->ifa = NULL;
+ scores[hiscore_idx].rule = -1;
+ scores[hiscore_idx].ifa = NULL;
rcu_read_lock();
@@ -1467,17 +1471,19 @@ int ipv6_dev_get_saddr(struct net *net, const struct net_device *dst_dev,
}
if (use_oif_addr) {
- __ipv6_dev_get_saddr(net, &dst, prefs, saddr, idev, scores);
+ if (idev)
+ hiscore_idx = __ipv6_dev_get_saddr(net, &dst, prefs, saddr, idev, scores, hiscore_idx);
} else {
for_each_netdev_rcu(net, dev) {
idev = __in6_dev_get(dev);
if (!idev)
continue;
- __ipv6_dev_get_saddr(net, &dst, prefs, saddr, idev, scores);
+ hiscore_idx = __ipv6_dev_get_saddr(net, &dst, prefs, saddr, idev, scores, hiscore_idx);
}
}
rcu_read_unlock();
+ hiscore = &scores[hiscore_idx];
if (!hiscore->ifa)
return -EADDRNOTAVAIL;