commit 2bb53e2557964c2c5368a0392cf3b3b63a288cd0
author Steffen Klassert <steffen.klassert@secunet.com> Tue Oct 08 10:49:51 2013 +0200
committer Steffen Klassert <steffen.klassert@secunet.com> Tue Oct 08 10:49:51 2013 +0200
tree a62a0dd7f1cbfe4dab7826e0769d9a0a8fde81c3
parent e7d8f6cb2f8735693396872f4608bbe305e8baee

xfrm: check for a vaild skb in xfrm_policy_queue_process

We might dreference a NULL pointer if the hold_queue is empty,
so add a check to avoid this.

Bug was introduced with git commit a0073fe18 ("xfrm: Add a state
resolution packet queue")

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

net/xfrm/xfrm_policy.c

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 5f9be97..76e1873 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1772,6 +1772,10 @@
 
 	spin_lock(&pq->hold_queue.lock);
 	skb = skb_peek(&pq->hold_queue);
+	if (!skb) {
+		spin_unlock(&pq->hold_queue.lock);
+		goto out;
+	}
 	dst = skb_dst(skb);
 	sk = skb->sk;
 	xfrm_decode_session(skb, &fl, dst->ops->family);