net: fib: fib6_add: fix potential NULL pointer dereference

[deliverable/linux.git] / net / ipv6 / ip6_fib.c

diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index bff3d821c7ebb7cf7b05342a5e4a9b4ddb14cd4a..5bec666aba61d464fab4e77684eedd4265143cf9 100644 (file)
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -425,8 +425,8 @@ out:
  *     node.
  */
 
-static struct fib6_node * fib6_add_1(struct fib6_node *root, void *addr,
-                                    int addrlen, int plen,
+static struct fib6_node *fib6_add_1(struct fib6_node *root,
+                                    struct in6_addr *addr, int plen,
                                     int offset, int allow_create,
                                     int replace_required)
 {
@@ -543,7 +543,7 @@ insert_above:
           but if it is >= plen, the value is ignored in any case.
         */
 
-       bit = __ipv6_addr_diff(addr, &key->addr, addrlen);
+       bit = __ipv6_addr_diff(addr, &key->addr, sizeof(*addr));
 
        /*
         *              (intermediate)[in]
@@ -822,12 +822,12 @@ int fib6_add(struct fib6_node *root, struct rt6_info *rt, struct nl_info *info)
        if (!allow_create && !replace_required)
                pr_warn("RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE\n");
 
-       fn = fib6_add_1(root, &rt->rt6i_dst.addr, sizeof(struct in6_addr),
-                       rt->rt6i_dst.plen, offsetof(struct rt6_info, rt6i_dst),
-                       allow_create, replace_required);
-
+       fn = fib6_add_1(root, &rt->rt6i_dst.addr, rt->rt6i_dst.plen,
+                       offsetof(struct rt6_info, rt6i_dst), allow_create,
+                       replace_required);
        if (IS_ERR(fn)) {
                err = PTR_ERR(fn);
+               fn = NULL;
                goto out;
        }
 
@@ -863,7 +863,7 @@ int fib6_add(struct fib6_node *root, struct rt6_info *rt, struct nl_info *info)
                        /* Now add the first leaf node to new subtree */
 
                        sn = fib6_add_1(sfn, &rt->rt6i_src.addr,
-                                       sizeof(struct in6_addr), rt->rt6i_src.plen,
+                                       rt->rt6i_src.plen,
                                        offsetof(struct rt6_info, rt6i_src),
                                        allow_create, replace_required);
 
@@ -882,7 +882,7 @@ int fib6_add(struct fib6_node *root, struct rt6_info *rt, struct nl_info *info)
                        fn->subtree = sfn;
                } else {
                        sn = fib6_add_1(fn->subtree, &rt->rt6i_src.addr,
-                                       sizeof(struct in6_addr), rt->rt6i_src.plen,
+                                       rt->rt6i_src.plen,
                                        offsetof(struct rt6_info, rt6i_src),
                                        allow_create, replace_required);
 
@@ -993,14 +993,22 @@ static struct fib6_node * fib6_lookup_1(struct fib6_node *root,
 
                        if (ipv6_prefix_equal(&key->addr, args->addr, key->plen)) {
 #ifdef CONFIG_IPV6_SUBTREES
-                               if (fn->subtree)
-                                       fn = fib6_lookup_1(fn->subtree, args + 1);
+                               if (fn->subtree) {
+                                       struct fib6_node *sfn;
+                                       sfn = fib6_lookup_1(fn->subtree,
+                                                           args + 1);
+                                       if (!sfn)
+                                               goto backtrack;
+                                       fn = sfn;
+                               }
 #endif
-                               if (!fn || fn->fn_flags & RTN_RTINFO)
+                               if (fn->fn_flags & RTN_RTINFO)
                                        return fn;
                        }
                }
-
+#ifdef CONFIG_IPV6_SUBTREES
+backtrack:
+#endif
                if (fn->fn_flags & RTN_ROOT)
                        break;