diff options
| author | Eric Sesterhenn <snakebyte@gmx.de> | 2006-06-26 02:41:15 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2006-06-26 02:41:15 -0400 |
| commit | 3ac90216abc7d39e694533aec2805efeb06bf8ac (patch) | |
| tree | c3374590eb318578896b41ca5af9d098275fc36f /net/tipc | |
| parent | a4e0927902508a5f7f04be56d3c3e1b174481705 (diff) | |
[TIPC] Fix for NULL pointer dereference
This fixes a bug spotted by the coverity checker, bug id #366. If
(mod(seqno - prev) != 1) we set buf to NULL, dereference it in the for
case, and set it to whatever value happes to be at adress 0+next, if it
happens to be non-zero, we even stay in the loop. It seems that the author
intended to break there.
Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
Signed-off-by: Per Liden <per.liden@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/tipc')
| -rw-r--r-- | net/tipc/bcast.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/net/tipc/bcast.c b/net/tipc/bcast.c index 00691b7c35f8..44645f56377e 100644 --- a/net/tipc/bcast.c +++ b/net/tipc/bcast.c | |||
| @@ -349,8 +349,10 @@ static void tipc_bclink_peek_nack(u32 dest, u32 sender_tag, u32 gap_after, u32 g | |||
| 349 | for (; buf; buf = buf->next) { | 349 | for (; buf; buf = buf->next) { |
| 350 | u32 seqno = buf_seqno(buf); | 350 | u32 seqno = buf_seqno(buf); |
| 351 | 351 | ||
| 352 | if (mod(seqno - prev) != 1) | 352 | if (mod(seqno - prev) != 1) { |
| 353 | buf = NULL; | 353 | buf = NULL; |
| 354 | break; | ||
| 355 | } | ||
| 354 | if (seqno == gap_after) | 356 | if (seqno == gap_after) |
| 355 | break; | 357 | break; |
| 356 | prev = seqno; | 358 | prev = seqno; |