diff options
| author | Willy Tarreau <w@1wt.eu> | 2009-08-13 23:48:05 +0200 |
|---|---|---|
| committer | Willy Tarreau <w@1wt.eu> | 2009-08-14 00:02:21 +0200 |
| commit | c18d0fe535a73b219f960d1af3d0c264555a12e3 (patch) | |
| tree | da8563800afeb63f1d92b364a28266ebf340e713 | |
| parent | 0fc96ec575895bbec9c6e5351ceec336a6d88afe (diff) | |
| download | linux-2.4-c18d0fe535a73b219f960d1af3d0c264555a12e3.tar.gz | |
net: fix possible NULL dereference in sock_sendpage()
This is the equivalent of 2.6 commit e694958388c50148389b0e9b9e9e8945cf0f1b98.
It adds a test in sock_sendpage() to avoid calling sock->ops->sock_sendpage()
on protocols which do not support it, as it would be NULL. In such a case,
we now call sock_no_sendpage() instead, as does kernel_sendpage() in 2.6.
This patch has been tested and confirmed to be enough to fix the security
issues discovered and reported by Julien Tinnes and Tavis Ormandy.
Signed-off-by: Willy Tarreau <w@1wt.eu>
| -rw-r--r-- | net/socket.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/socket.c b/net/socket.c index ac45b138c15fb2..298c283203ee73 100644 --- a/net/socket.c +++ b/net/socket.c @@ -607,6 +607,9 @@ ssize_t sock_sendpage(struct file *file, struct page *page, if (more) flags |= MSG_MORE; + if (!sock->ops->sendpage) + return sock_no_sendpage(sock, page, offset, size, flags); + return sock->ops->sendpage(sock, page, offset, size, flags); } |