On 1/2/19 5:29 AM, Stefano Brivio wrote: > In ip6_neigh_lookup(), we must not return errors coming from > neigh_create(): if creation of a neighbour entry fails, the lookup should > return NULL, in the same way as it's done in __neigh_lookup(). > > Otherwise, callers legitimately checking for a non-NULL return value of > the lookup function might dereference an invalid pointer. > > For instance, on neighbour table overflow, ndisc_router_discovery() > crashes ndisc_update() by passing ERR_PTR(-ENOBUFS) as 'neigh' argument. > > Reported-by: Jianlin Shi <[email protected]> > Fixes: f8a1b43b709d ("net/ipv6: Create a neigh_lookup for FIB entries") > Signed-off-by: Stefano Brivio <[email protected]> > --- > net/ipv6/route.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/net/ipv6/route.c b/net/ipv6/route.c > index a94e0b02a8ac..40b225f87d5e 100644 > --- a/net/ipv6/route.c > +++ b/net/ipv6/route.c > @@ -210,7 +210,9 @@ struct neighbour *ip6_neigh_lookup(const struct in6_addr > *gw, > n = __ipv6_neigh_lookup(dev, daddr); > if (n) > return n; > - return neigh_create(&nd_tbl, daddr, dev); > + > + n = neigh_create(&nd_tbl, daddr, dev); > + return IS_ERR(n) ? NULL : n; > } > > static struct neighbour *ip6_dst_neigh_lookup(const struct dst_entry *dst, >
I see now -- dst_neigh_lookup handles that check and I forgot to add the same to the new ip6_neigh_lookup. Thanks for the patch. Reviewed-by: David Ahern <[email protected]>
