From patchwork Sun Sep 12 18:57:43 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Miller X-Patchwork-Id: 64559 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id EAA071007D2 for ; Mon, 13 Sep 2010 04:58:57 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753765Ab0ILS50 (ORCPT ); Sun, 12 Sep 2010 14:57:26 -0400 Received: from 74-93-104-97-Washington.hfc.comcastbusiness.net ([74.93.104.97]:57455 "EHLO sunset.davemloft.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753672Ab0ILS5Z (ORCPT ); Sun, 12 Sep 2010 14:57:25 -0400 Received: from localhost (localhost [127.0.0.1]) by sunset.davemloft.net (Postfix) with ESMTP id 7E66224C087; Sun, 12 Sep 2010 11:57:43 -0700 (PDT) Date: Sun, 12 Sep 2010 11:57:43 -0700 (PDT) Message-Id: <20100912.115743.226782545.davem@davemloft.net> To: jirislaby@gmail.com Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: sch_atm: null dereference From: David Miller In-Reply-To: <4C823DA0.3050203@gmail.com> References: <4C823DA0.3050203@gmail.com> X-Mailer: Mew version 6.3 on Emacs 23.1 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Jiri Slaby Date: Sat, 04 Sep 2010 14:37:52 +0200 > stanse found a potential null dereference: > atm_tc_change > -> if (flow) > -> return -EBUSY; > -> flow is NULL now > -> if (classid) > -> if (!list_empty(&flow->list)) > > Introduced probably in > sch_atm: Convert to use standard list_head facilities. > > Could you fix that? Technically it's an unnecessary test that's been there forever. I've applied the following to net-2.6, thanks! -------------------- sch_atm: Fix potential NULL deref. The list_head conversion unearther an unnecessary flow check. Since flow is always NULL here we don't need to see if a matching flow exists already. Reported-by: Jiri Slaby Signed-off-by: David S. Miller --- net/sched/sch_atm.c | 4 ---- 1 files changed, 0 insertions(+), 4 deletions(-) diff --git a/net/sched/sch_atm.c b/net/sched/sch_atm.c index 3406627..6318e11 100644 --- a/net/sched/sch_atm.c +++ b/net/sched/sch_atm.c @@ -255,10 +255,6 @@ static int atm_tc_change(struct Qdisc *sch, u32 classid, u32 parent, error = -EINVAL; goto err_out; } - if (!list_empty(&flow->list)) { - error = -EEXIST; - goto err_out; - } } else { int i; unsigned long cl;