git://ftp.safe.ca / safe / jmp / linux-2.6 / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 355423d)
RxRPC: Fix a potential NULL dereference
authorDavid Howells <dhowells@redhat.com>
Sat, 7 Feb 2009 05:50:52 +0000 (21:50 -0800)
committerDavid S. Miller <davem@davemloft.net>
Sat, 7 Feb 2009 05:50:52 +0000 (21:50 -0800)
Fix a potential NULL dereference bug during error handling in
rxrpc_kernel_begin_call(), whereby rxrpc_put_transport() may be handed a NULL
pointer.

This was found with a code checker (http://repo.or.cz/w/smatch.git/).

Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/rxrpc/af_rxrpc.c patch | blob | history

diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c
index d7d2bed..eac5e7b 100644 (file)
--- a/net/rxrpc/af_rxrpc.c
+++ b/net/rxrpc/af_rxrpc.c
@@ -284,13 +284,13 @@ struct rxrpc_call *rxrpc_kernel_begin_call(struct socket *sock,
                if (IS_ERR(trans)) {
                        call = ERR_CAST(trans);
                        trans = NULL;
-                       goto out;
+                       goto out_notrans;
                }
        } else {
                trans = rx->trans;
                if (!trans) {
                        call = ERR_PTR(-ENOTCONN);
-                       goto out;
+                       goto out_notrans;
                }
                atomic_inc(&trans->usage);
        }
@@ -315,6 +315,7 @@ struct rxrpc_call *rxrpc_kernel_begin_call(struct socket *sock,
        rxrpc_put_bundle(trans, bundle);
 out:
        rxrpc_put_transport(trans);
+out_notrans:
        release_sock(&rx->sk);
        _leave(" = %p", call);
        return call;
Full containers within linux kernel