aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Sesterhenn <snakebyte@gmx.de>2006-06-26 02:41:15 -0400
committerDavid S. Miller <davem@davemloft.net>2006-06-26 02:41:15 -0400
commit3ac90216abc7d39e694533aec2805efeb06bf8ac (patch)
treec3374590eb318578896b41ca5af9d098275fc36f
parenta4e0927902508a5f7f04be56d3c3e1b174481705 (diff)
[TIPC] Fix for NULL pointer dereference
This fixes a bug spotted by the coverity checker, bug id #366. If (mod(seqno - prev) != 1) we set buf to NULL, dereference it in the for case, and set it to whatever value happes to be at adress 0+next, if it happens to be non-zero, we even stay in the loop. It seems that the author intended to break there. Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de> Signed-off-by: Per Liden <per.liden@ericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/tipc/bcast.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/net/tipc/bcast.c b/net/tipc/bcast.c
index 00691b7c35f8..44645f56377e 100644
--- a/net/tipc/bcast.c
+++ b/net/tipc/bcast.c
@@ -349,8 +349,10 @@ static void tipc_bclink_peek_nack(u32 dest, u32 sender_tag, u32 gap_after, u32 g
349 for (; buf; buf = buf->next) { 349 for (; buf; buf = buf->next) {
350 u32 seqno = buf_seqno(buf); 350 u32 seqno = buf_seqno(buf);
351 351
352 if (mod(seqno - prev) != 1) 352 if (mod(seqno - prev) != 1) {
353 buf = NULL; 353 buf = NULL;
354 break;
355 }
354 if (seqno == gap_after) 356 if (seqno == gap_after)
355 break; 357 break;
356 prev = seqno; 358 prev = seqno;