ipv4: make ip_append_data() handle NULL routing table

Add a check in ip_append_data() for NULL *rtp to prevent future bugs in
callers from being exploitable.

Signed-off-by: Julien Tinnes <julien@cr0.org>
Signed-off-by: Tavis Ormandy <taviso@sdf.lonestar.org>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 7d08210547291b74bc15d001e55eacdb8dd34281..7ffcd96fe591921bd139a1de925991b97f9a74f0 100644 (file)
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -813,6 +813,8 @@ int ip_append_data(struct sock *sk,
                        inet->cork.addr = ipc->addr;
                }
                rt = *rtp;
+               if (unlikely(!rt))
+                       return -EFAULT;
                /*
                 * We steal reference to this route, caller should not release it
                 */