[TIPC] Fix for NULL pointer dereference

This fixes a bug spotted by the coverity checker, bug id #366. If
(mod(seqno - prev) != 1) we set buf to NULL, dereference it in the for
case, and set it to whatever value happes to be at adress 0+next, if it
happens to be non-zero, we even stay in the loop. It seems that the author
intended to break there.

Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
Signed-off-by: Per Liden <per.liden@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/tipc/bcast.c b/net/tipc/bcast.c
index 00691b7..44645f5 100644 (file)
--- a/net/tipc/bcast.c
+++ b/net/tipc/bcast.c
@@ -349,8 +349,10 @@ static void tipc_bclink_peek_nack(u32 dest, u32 sender_tag, u32 gap_after, u32 g
                for (; buf; buf = buf->next) {
                        u32 seqno = buf_seqno(buf);
 
-                       if (mod(seqno - prev) != 1)
+                       if (mod(seqno - prev) != 1) {
                                buf = NULL;
+                               break;
+                       }
                        if (seqno == gap_after)
                                break;
                        prev = seqno;