Commit 4c246863 authored by Xin Long's avatar Xin Long Committed by Greg Kroah-Hartman

sctp: return next obj by passing pos + 1 into sctp_transport_get_idx


[ Upstream commit 988c7322 ]

In sctp_for_each_transport, pos is used to save how many objs it has
dumped. Now it gets the last obj by sctp_transport_get_idx, then gets
the next obj by sctp_transport_get_next.

The issue is that in the meanwhile if some objs in transport hashtable
are removed and the objs nums are less than pos, sctp_transport_get_idx
would return NULL and hti.walker.tbl is NULL as well. At this moment
it should stop hti, instead of continue getting the next obj. Or it
would cause a NULL pointer dereference in sctp_transport_get_next.

This patch is to pass pos + 1 into sctp_transport_get_idx to get the
next obj directly, even if pos > objs nums, it would return NULL and
stop hti.

Fixes: 626d16f5 ("sctp: export some apis or variables for sctp_diag and reuse some for proc")
Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent fded2d74
...@@ -4506,9 +4506,8 @@ int sctp_for_each_transport(int (*cb)(struct sctp_transport *, void *), ...@@ -4506,9 +4506,8 @@ int sctp_for_each_transport(int (*cb)(struct sctp_transport *, void *),
if (err) if (err)
return err; return err;
sctp_transport_get_idx(net, &hti, pos); obj = sctp_transport_get_idx(net, &hti, pos + 1);
obj = sctp_transport_get_next(net, &hti); for (; !IS_ERR_OR_NULL(obj); obj = sctp_transport_get_next(net, &hti)) {
for (; obj && !IS_ERR(obj); obj = sctp_transport_get_next(net, &hti)) {
struct sctp_transport *transport = obj; struct sctp_transport *transport = obj;
if (!sctp_transport_hold(transport)) if (!sctp_transport_hold(transport))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment