• Jon Maloy's avatar
    tipc: fix bug in broadcast retransmit code · 703068ee
    Jon Maloy authored
    In commit 58dc55f2 ("tipc: use generic
    SKB list APIs to manage link transmission queue") we replace all list
    traversal loops with the macros skb_queue_walk() or
    skb_queue_walk_safe(). While the previous loops were based on the
    assumption that the list was NULL-terminated, the standard macros
    stop when the iterator reaches the list head, which is non-NULL.
    
    In the function bclink_retransmit_pkt() this macro replacement has
    lead to a bug. When we receive a BCAST STATE_MSG we unconditionally
    call the function bclink_retransmit_pkt(), whether there really is
    anything to retransmit or not, assuming that the sequence number
    comparisons will lead to the correct behavior. However, if the
    transmission queue is empty, or if there are no eligible buffers in
    the transmission queue, we will by mistake pass the list head pointer
    to the function tipc_link_retransmit(). Since the list head is not a
    valid sk_buff, this leads to a crash.
    
    In this commit we fix this by only calling tipc_link_retransmit()
    if we actually found eligible buffers in the transmission queue.
    Reviewed-by: default avatarYing Xue <ying.xue@windriver.com>
    Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    703068ee
bcast.c 27.6 KB