From: Gen Zhang <blackgod016574@gmail.com>
Date: Fri, 24 May 2019 03:19:46 +0000 (+0800)
Subject: ipv6_sockglue: Fix a missing-check bug in ip6_ra_control()
X-Git-Tag: v4.1.12-124.31.3~46
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=104afdae57dfce5d7b82cbeedb453563625ab472;p=users%2Fjedix%2Flinux-maple.git

ipv6_sockglue: Fix a missing-check bug in ip6_ra_control()

In function ip6_ra_control(), the pointer new_ra is allocated a memory
space via kmalloc(). And it is used in the following codes. However,
when there is a memory allocation error, kmalloc() fails. Thus null
pointer dereference may happen. And it will cause the kernel to crash.
Therefore, we should check the return value and handle the error.

Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 95baa60a0da80a0143e3ddd4d3725758b4513825)

Orabug: 29926057
CVE: CVE-2019-12378

Reviewed-by:  John Donnelly <John.p.donnelly@oracle.com>
Signed-off-by: Allen Pais <allen.pais@oracle.com>
Signed-off-by: Brian Maly <brian.maly@oracle.com>
---

diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 4449ad1f81147..7bdb24acced79 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -67,6 +67,8 @@ int ip6_ra_control(struct sock *sk, int sel)
 		return -ENOPROTOOPT;
 
 	new_ra = (sel >= 0) ? kmalloc(sizeof(*new_ra), GFP_KERNEL) : NULL;
+	if (sel >= 0 && !new_ra)
+		return -ENOMEM;
 
 	write_lock_bh(&ip6_ra_lock);
 	for (rap = &ip6_ra_chain; (ra = *rap) != NULL; rap = &ra->next) {