Skip to content

Commit

Permalink
tun/tap: Fix crashes if open() /dev/net/tun and then poll() it.
Browse files Browse the repository at this point in the history 
Fix NULL pointer dereference in tun_chr_pool() introduced by commit
33dccbb ("tun: Limit amount of queued
packets per device") and triggered by this code:

	int fd;
	struct pollfd pfd;
	fd = open("/dev/net/tun", O_RDWR);
	pfd.fd = fd;
	pfd.events = POLLIN | POLLOUT;
	poll(&pfd, 1, 0);

Reported-by: Eugene Kapun <abacabadabacaba@gmail.com>
Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
Mariusz Kozlowski authored and David S. Miller committed Jul 6, 2009
1 parent 1ded3f5 commit 3c8a9c6
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion drivers/net/tun.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -486,12 +486,14 @@ static unsigned int tun_chr_poll(struct file *file, poll_table * wait)
{
struct tun_file *tfile = file->private_data;
struct tun_struct *tun = __tun_get(tfile);
struct sock *sk = tun->sk;
struct sock *sk;
unsigned int mask = 0;

if (!tun)
return POLLERR;

sk = tun->sk;

DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name);

poll_wait(file, &tun->socket.wait, wait);
Expand Down

0 comments on commit 3c8a9c6

Please sign in to comment.