aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2009-02-07 00:50:52 -0500
committerDavid S. Miller <davem@davemloft.net>2009-02-07 00:50:52 -0500
commit15bde72738f373aa060ececeda8e064e4f924360 (patch)
tree9f13defd4cbdfff49b1e39a0ac43b9df4c4581de
parent355423d0849f4506bc71ab2738d38cb74429aaef (diff)
RxRPC: Fix a potential NULL dereference
Fix a potential NULL dereference bug during error handling in rxrpc_kernel_begin_call(), whereby rxrpc_put_transport() may be handed a NULL pointer. This was found with a code checker (http://repo.or.cz/w/smatch.git/). Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/rxrpc/af_rxrpc.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c
index d7d2bed7a699..eac5e7bb7365 100644
--- a/net/rxrpc/af_rxrpc.c
+++ b/net/rxrpc/af_rxrpc.c
@@ -284,13 +284,13 @@ struct rxrpc_call *rxrpc_kernel_begin_call(struct socket *sock,
284 if (IS_ERR(trans)) { 284 if (IS_ERR(trans)) {
285 call = ERR_CAST(trans); 285 call = ERR_CAST(trans);
286 trans = NULL; 286 trans = NULL;
287 goto out; 287 goto out_notrans;
288 } 288 }
289 } else { 289 } else {
290 trans = rx->trans; 290 trans = rx->trans;
291 if (!trans) { 291 if (!trans) {
292 call = ERR_PTR(-ENOTCONN); 292 call = ERR_PTR(-ENOTCONN);
293 goto out; 293 goto out_notrans;
294 } 294 }
295 atomic_inc(&trans->usage); 295 atomic_inc(&trans->usage);
296 } 296 }
@@ -315,6 +315,7 @@ struct rxrpc_call *rxrpc_kernel_begin_call(struct socket *sock,
315 rxrpc_put_bundle(trans, bundle); 315 rxrpc_put_bundle(trans, bundle);
316out: 316out:
317 rxrpc_put_transport(trans); 317 rxrpc_put_transport(trans);
318out_notrans:
318 release_sock(&rx->sk); 319 release_sock(&rx->sk);
319 _leave(" = %p", call); 320 _leave(" = %p", call);
320 return call; 321 return call;