Commit 3ac90216 authored by Eric Sesterhenn's avatar Eric Sesterhenn Committed by David S. Miller

[TIPC] Fix for NULL pointer dereference

This fixes a bug spotted by the coverity checker, bug id #366. If
(mod(seqno - prev) != 1) we set buf to NULL, dereference it in the for
case, and set it to whatever value happes to be at adress 0+next, if it
happens to be non-zero, we even stay in the loop. It seems that the author
intended to break there.
Signed-off-by: default avatarEric Sesterhenn <snakebyte@gmx.de>
Signed-off-by: default avatarPer Liden <per.liden@ericsson.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent a4e09279
...@@ -349,8 +349,10 @@ static void tipc_bclink_peek_nack(u32 dest, u32 sender_tag, u32 gap_after, u32 g ...@@ -349,8 +349,10 @@ static void tipc_bclink_peek_nack(u32 dest, u32 sender_tag, u32 gap_after, u32 g
for (; buf; buf = buf->next) { for (; buf; buf = buf->next) {
u32 seqno = buf_seqno(buf); u32 seqno = buf_seqno(buf);
if (mod(seqno - prev) != 1) if (mod(seqno - prev) != 1) {
buf = NULL; buf = NULL;
break;
}
if (seqno == gap_after) if (seqno == gap_after)
break; break;
prev = seqno; prev = seqno;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment