diff mbox

tipc: fix dereference before check warning

Message ID 1384331711-13707-1-git-send-email-erik.hugne@ericsson.com
State Accepted, archived
Delegated to: David Miller
Headers show

Commit Message

Erik Hugne Nov. 13, 2013, 8:35 a.m. UTC 
From: Erik Hugne <erik.hugne@ericsson.com>

This fixes the following Smatch warning:
net/tipc/link.c:2364 tipc_link_recv_fragment()
    warn: variable dereferenced before check '*head' (see line 2361)

A null pointer might be passed to skb_try_coalesce if
a malicious sender injects orphan fragments on a link.

Signed-off-by: Erik Hugne <erik.hugne@ericsson.com>
---
 net/tipc/link.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

David Miller Nov. 14, 2013, 8:15 a.m. UTC | #1 
From: <erik.hugne@ericsson.com>
Date: Wed, 13 Nov 2013 09:35:11 +0100

> From: Erik Hugne <erik.hugne@ericsson.com>
> 
> This fixes the following Smatch warning:
> net/tipc/link.c:2364 tipc_link_recv_fragment()
>     warn: variable dereferenced before check '*head' (see line 2361)
> 
> A null pointer might be passed to skb_try_coalesce if
> a malicious sender injects orphan fragments on a link.
> 
> Signed-off-by: Erik Hugne <erik.hugne@ericsson.com>

Applied, thank you.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/net/tipc/link.c b/net/tipc/link.c
index cf465d6..69cd9bf 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -2358,7 +2358,8 @@  int tipc_link_recv_fragment(struct sk_buff **head, struct sk_buff **tail,
 		*head = frag;
 		skb_frag_list_init(*head);
 		return 0;
-	} else if (skb_try_coalesce(*head, frag, &headstolen, &delta)) {
+	} else if (*head &&
+		   skb_try_coalesce(*head, frag, &headstolen, &delta)) {
 		kfree_skb_partial(frag, headstolen);
 	} else {
 		if (!*head)