diff options
| author | Erik Hugne <erik.hugne@ericsson.com> | 2015-02-27 02:56:55 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-02-27 18:18:47 -0500 |
| commit | 7fe8097cef5ff4ba1c7ced42bda97830ce00eec6 (patch) | |
| tree | d9461dce54e4dbe08b98db7db04e3b5ad224991e /net/tipc | |
| parent | 3622c36f37640078c9a706b71e02e6334c85f9e9 (diff) | |
tipc: fix nullpointer bug when subscribing to events
If a subscription request is sent to a topology server
connection, and any error occurs (malformed request, oom
or limit reached) while processing this request, TIPC should
terminate the subscriber connection. While doing so, it tries
to access fields in an already freed (or never allocated)
subscription element leading to a nullpointer exception.
We fix this by removing the subscr_terminate function and
terminate the connection immediately upon any subscription
failure.
Signed-off-by: Erik Hugne <erik.hugne@ericsson.com>
Reviewed-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/tipc')
| -rw-r--r-- | net/tipc/subscr.c | 23 |
1 files changed, 4 insertions, 19 deletions
diff --git a/net/tipc/subscr.c b/net/tipc/subscr.c index 72c339e432aa..1c147c869c2e 100644 --- a/net/tipc/subscr.c +++ b/net/tipc/subscr.c | |||
| @@ -162,19 +162,6 @@ static void subscr_del(struct tipc_subscription *sub) | |||
| 162 | atomic_dec(&tn->subscription_count); | 162 | atomic_dec(&tn->subscription_count); |
| 163 | } | 163 | } |
| 164 | 164 | ||
| 165 | /** | ||
| 166 | * subscr_terminate - terminate communication with a subscriber | ||
| 167 | * | ||
| 168 | * Note: Must call it in process context since it might sleep. | ||
| 169 | */ | ||
| 170 | static void subscr_terminate(struct tipc_subscription *sub) | ||
| 171 | { | ||
| 172 | struct tipc_subscriber *subscriber = sub->subscriber; | ||
| 173 | struct tipc_net *tn = net_generic(sub->net, tipc_net_id); | ||
| 174 | |||
| 175 | tipc_conn_terminate(tn->topsrv, subscriber->conid); | ||
| 176 | } | ||
| 177 | |||
| 178 | static void subscr_release(struct tipc_subscriber *subscriber) | 165 | static void subscr_release(struct tipc_subscriber *subscriber) |
| 179 | { | 166 | { |
| 180 | struct tipc_subscription *sub; | 167 | struct tipc_subscription *sub; |
| @@ -312,16 +299,14 @@ static void subscr_conn_msg_event(struct net *net, int conid, | |||
| 312 | { | 299 | { |
| 313 | struct tipc_subscriber *subscriber = usr_data; | 300 | struct tipc_subscriber *subscriber = usr_data; |
| 314 | struct tipc_subscription *sub = NULL; | 301 | struct tipc_subscription *sub = NULL; |
| 302 | struct tipc_net *tn = net_generic(net, tipc_net_id); | ||
| 315 | 303 | ||
| 316 | spin_lock_bh(&subscriber->lock); | 304 | spin_lock_bh(&subscriber->lock); |
| 317 | if (subscr_subscribe(net, (struct tipc_subscr *)buf, subscriber, | 305 | subscr_subscribe(net, (struct tipc_subscr *)buf, subscriber, &sub); |
| 318 | &sub) < 0) { | ||
| 319 | spin_unlock_bh(&subscriber->lock); | ||
| 320 | subscr_terminate(sub); | ||
| 321 | return; | ||
| 322 | } | ||
| 323 | if (sub) | 306 | if (sub) |
| 324 | tipc_nametbl_subscribe(sub); | 307 | tipc_nametbl_subscribe(sub); |
| 308 | else | ||
| 309 | tipc_conn_terminate(tn->topsrv, subscriber->conid); | ||
| 325 | spin_unlock_bh(&subscriber->lock); | 310 | spin_unlock_bh(&subscriber->lock); |
| 326 | } | 311 | } |
| 327 | 312 | ||