Commit 15bde727 authored by David Howells's avatar David Howells Committed by David S. Miller

RxRPC: Fix a potential NULL dereference

Fix a potential NULL dereference bug during error handling in
rxrpc_kernel_begin_call(), whereby rxrpc_put_transport() may be handed a NULL
pointer.

This was found with a code checker (http://repo.or.cz/w/smatch.git/).
Reported-by: default avatarDan Carpenter <error27@gmail.com>
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 355423d0
...@@ -284,13 +284,13 @@ struct rxrpc_call *rxrpc_kernel_begin_call(struct socket *sock, ...@@ -284,13 +284,13 @@ struct rxrpc_call *rxrpc_kernel_begin_call(struct socket *sock,
if (IS_ERR(trans)) { if (IS_ERR(trans)) {
call = ERR_CAST(trans); call = ERR_CAST(trans);
trans = NULL; trans = NULL;
goto out; goto out_notrans;
} }
} else { } else {
trans = rx->trans; trans = rx->trans;
if (!trans) { if (!trans) {
call = ERR_PTR(-ENOTCONN); call = ERR_PTR(-ENOTCONN);
goto out; goto out_notrans;
} }
atomic_inc(&trans->usage); atomic_inc(&trans->usage);
} }
...@@ -315,6 +315,7 @@ struct rxrpc_call *rxrpc_kernel_begin_call(struct socket *sock, ...@@ -315,6 +315,7 @@ struct rxrpc_call *rxrpc_kernel_begin_call(struct socket *sock,
rxrpc_put_bundle(trans, bundle); rxrpc_put_bundle(trans, bundle);
out: out:
rxrpc_put_transport(trans); rxrpc_put_transport(trans);
out_notrans:
release_sock(&rx->sk); release_sock(&rx->sk);
_leave(" = %p", call); _leave(" = %p", call);
return call; return call;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment