appletalk: Fix potential NULL pointer dereference in unregister_snap_client

register_snap_client may return NULL, all the callers
check it, but only print a warning. This will result in
NULL pointer dereference in unregister_snap_client and other
places.

It has always been used like this since v2.6

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

3 files changed, 25 insertions, 12 deletions

diff --git a/include/linux/atalk.h b/include/linux/atalk.h
index d5cfc0b15b76..f6034ba774be 100644
--- a/include/linux/atalk.h
+++ b/include/linux/atalk.h
@@ -108,7 +108,7 @@ static __inline__ struct elapaarp *aarp_hdr(struct sk_buff *skb)
 #define AARP_RESOLVE_TIME       (10 * HZ)
 
 extern struct datalink_proto *ddp_dl, *aarp_dl;
-extern void aarp_proto_init(void);
+extern int aarp_proto_init(void);
 
 /* Inter module exports */
 
diff --git a/net/appletalk/aarp.c b/net/appletalk/aarp.c
index 49a16cee2aae..420a98bf79b5 100644
--- a/net/appletalk/aarp.c
+++ b/net/appletalk/aarp.c
@@ -879,15 +879,24 @@ static struct notifier_block aarp_notifier = {
 
 static unsigned char aarp_snap_id[] = { 0x00, 0x00, 0x00, 0x80, 0xF3 };
 
-void __init aarp_proto_init(void)
+int __init aarp_proto_init(void)
 {
+        int rc;
+
         aarp_dl = register_snap_client(aarp_snap_id, aarp_rcv);
-        if (!aarp_dl)
+        if (!aarp_dl) {
                 printk(KERN_CRIT "Unable to register AARP with SNAP.\n");
+                return -ENOMEM;
+        }
         timer_setup(&aarp_timer, aarp_expire_timeout, 0);
         aarp_timer.expires  = jiffies + sysctl_aarp_expiry_time;
         add_timer(&aarp_timer);
-        register_netdevice_notifier(&aarp_notifier);
+        rc = register_netdevice_notifier(&aarp_notifier);
+        if (rc) {
+                del_timer_sync(&aarp_timer);
+                unregister_snap_client(aarp_dl);
+        }
+        return rc;
 }
 
 /* Remove the AARP entries associated with a device. */
diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
index 795fbc6c06aa..709d2542f729 100644
--- a/net/appletalk/ddp.c
+++ b/net/appletalk/ddp.c
@@ -1904,9 +1904,6 @@ static unsigned char ddp_snap_id[] = { 0x08, 0x00, 0x07, 0x80, 0x9B };
 EXPORT_SYMBOL(atrtr_get_dev);
 EXPORT_SYMBOL(atalk_find_dev_addr);
 
-static const char atalk_err_snap[] __initconst =
-        KERN_CRIT "Unable to register DDP with SNAP.\n";
-
 /* Called by proto.c on kernel start up */
 static int __init atalk_init(void)
 {
@@ -1921,17 +1918,22 @@ static int __init atalk_init(void)
                 goto out_proto;
 
         ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv);
-        if (!ddp_dl)
-                printk(atalk_err_snap);
+        if (!ddp_dl) {
+                pr_crit("Unable to register DDP with SNAP.\n");
+                goto out_sock;
+        }
 
         dev_add_pack(&ltalk_packet_type);
         dev_add_pack(&ppptalk_packet_type);
 
         rc = register_netdevice_notifier(&ddp_notifier);
         if (rc)
-                goto out_sock;
+                goto out_snap;
+
+        rc = aarp_proto_init();
+        if (rc)
+                goto out_dev;
 
-        aarp_proto_init();
         rc = atalk_proc_init();
         if (rc)
                 goto out_aarp;
@@ -1945,11 +1947,13 @@ out_proc:
         atalk_proc_exit();
 out_aarp:
         aarp_cleanup_module();
+out_dev:
         unregister_netdevice_notifier(&ddp_notifier);
-out_sock:
+out_snap:
         dev_remove_pack(&ppptalk_packet_type);
         dev_remove_pack(&ltalk_packet_type);
         unregister_snap_client(ddp_dl);
+out_sock:
         sock_unregister(PF_APPLETALK);
 out_proto:
         proto_unregister(&ddp_proto);