[NET_SCHED]: cls_fw: fix NULL pointer dereference

When the first fw classifier is initialized, there is a small window
between the ->init() and ->change() calls, during which the classifier
is active but not entirely set up and tp->root is still NULL (->init()
does nothing).

When a packet is queued during this window a NULL pointer dereference
occurs in fw_classify() when trying to dereference head->mask;

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
index f59a2c4aa039b463e6c4c7d4fc867ce6da8a7dcb..c797d6ada7de06948ef1fab1e225a224ffdc057d 100644 (file)
--- a/net/sched/cls_fw.c
+++ b/net/sched/cls_fw.c
@@ -101,9 +101,10 @@ static int fw_classify(struct sk_buff *skb, struct tcf_proto *tp,
        struct fw_head *head = (struct fw_head*)tp->root;
        struct fw_filter *f;
        int r;
-       u32 id = skb->mark & head->mask;
+       u32 id = skb->mark;
 
        if (head != NULL) {
+               id &= head->mask;
                for (f=head->ht[fw_hash(id)]; f; f=f->next) {
                        if (f->id == id) {
                                *res = f->res;