From: Patrick McHardy <kaber@trash.net>
Date: Tue, 5 Dec 2006 21:46:13 +0000 (-0800)
Subject: [NET_SCHED]: cls_fw: fix NULL pointer dereference
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=5c804bfdcca2593422dd6edc2d7db4dba645543c;p=linux.git

[NET_SCHED]: cls_fw: fix NULL pointer dereference

When the first fw classifier is initialized, there is a small window
between the ->init() and ->change() calls, during which the classifier
is active but not entirely set up and tp->root is still NULL (->init()
does nothing).

When a packet is queued during this window a NULL pointer dereference
occurs in fw_classify() when trying to dereference head->mask;

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
index f59a2c4aa039b..c797d6ada7de0 100644
--- a/net/sched/cls_fw.c
+++ b/net/sched/cls_fw.c
@@ -101,9 +101,10 @@ static int fw_classify(struct sk_buff *skb, struct tcf_proto *tp,
 	struct fw_head *head = (struct fw_head*)tp->root;
 	struct fw_filter *f;
 	int r;
-	u32 id = skb->mark & head->mask;
+	u32 id = skb->mark;
 
 	if (head != NULL) {
+		id &= head->mask;
 		for (f=head->ht[fw_hash(id)]; f; f=f->next) {
 			if (f->id == id) {
 				*res = f->res;