Bug#500472: maybe patch
>> Subject: Bug#500472: linux-image-2.6.26-1-openvz-amd64: NULL pointer
>> dereference in tcp_v4_send_ack
>
> Thanks! It is a mainstream bug. Fixed patch was sent to netdev@.
The patch is there : http://www.spinics.net/lists/netdev/msg76471.html
But it does not apply to 2.6.26 so I tried to backport it. Here is
what I could come up with (clearly not understanding what I was doing,
and taking into account the fact that a follow-up says ipv6 codepath
is similar) :
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index ffe869a..fffc708 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -687,7 +687,7 @@ static void tcp_v4_send_ack(struct tcp_timewait_sock *twsk,
if (twsk)
arg.bound_dev_if = twsk->tw_sk.tw_bound_dev_if;
- ip_send_reply(dev_net(skb->dev)->ipv4.tcp_sock, skb,
+ ip_send_reply(dev_net(skb->dst->dev)->ipv4.tcp_sock, skb,
&arg, arg.iov[0].iov_len);
TCP_INC_STATS_BH(TCP_MIB_OUTSEGS);
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 40ea9c3..6d8e350 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1094,7 +1094,7 @@ static void tcp_v6_send_ack(struct tcp_timewait_sock *tw,
struct tcphdr *th = tcp_hdr(skb), *t1;
struct sk_buff *buff;
struct flowi fl;
- struct net *net = dev_net(skb->dev);
+ struct net *net = dev_net(skb->dst->dev);
struct sock *ctl_sk = net->ipv6.tcp_sk;
unsigned int tot_len = sizeof(struct tcphdr);
__be32 *topt;
Reply to: