Message ID | 20190726141705.9585-1-baijiaju1990@gmail.com (mailing list archive) |
---|---|
State | Not Applicable |
Headers | show |
Series | net: rds: Fix possible null-pointer dereferences in rds_rdma_cm_event_handler_cmn() | expand |
On 7/26/19 7:17 AM, Jia-Ju Bai wrote: > In rds_rdma_cm_event_handler_cmn(), there are some if statements to > check whether conn is NULL, such as on lines 65, 96 and 112. > But conn is not checked before being used on line 108: > trans->cm_connect_complete(conn, event); > and on lines 140-143: > rdsdebug("DISCONNECT event - dropping connection " > "%pI6c->%pI6c\n", &conn->c_laddr, > &conn->c_faddr); > rds_conn_drop(conn); > > Thus, possible null-pointer dereferences may occur. > > To fix these bugs, conn is checked before being used. > > These bugs are found by a static analysis tool STCheck written by us. > > Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> > --- That's possible. Looks good. Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
From: Jia-Ju Bai <baijiaju1990@gmail.com> Date: Fri, 26 Jul 2019 22:17:05 +0800 > In rds_rdma_cm_event_handler_cmn(), there are some if statements to > check whether conn is NULL, such as on lines 65, 96 and 112. > But conn is not checked before being used on line 108: > trans->cm_connect_complete(conn, event); > and on lines 140-143: > rdsdebug("DISCONNECT event - dropping connection " > "%pI6c->%pI6c\n", &conn->c_laddr, > &conn->c_faddr); > rds_conn_drop(conn); > > Thus, possible null-pointer dereferences may occur. > > To fix these bugs, conn is checked before being used. > > These bugs are found by a static analysis tool STCheck written by us. > > Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> Applied.
diff --git a/net/rds/rdma_transport.c b/net/rds/rdma_transport.c index ff74c4bbb9fc..9986d6065c4d 100644 --- a/net/rds/rdma_transport.c +++ b/net/rds/rdma_transport.c @@ -105,7 +105,8 @@ static int rds_rdma_cm_event_handler_cmn(struct rdma_cm_id *cm_id, break; case RDMA_CM_EVENT_ESTABLISHED: - trans->cm_connect_complete(conn, event); + if (conn) + trans->cm_connect_complete(conn, event); break; case RDMA_CM_EVENT_REJECTED: @@ -137,6 +138,8 @@ static int rds_rdma_cm_event_handler_cmn(struct rdma_cm_id *cm_id, break; case RDMA_CM_EVENT_DISCONNECTED: + if (!conn) + break; rdsdebug("DISCONNECT event - dropping connection " "%pI6c->%pI6c\n", &conn->c_laddr, &conn->c_faddr);
In rds_rdma_cm_event_handler_cmn(), there are some if statements to check whether conn is NULL, such as on lines 65, 96 and 112. But conn is not checked before being used on line 108: trans->cm_connect_complete(conn, event); and on lines 140-143: rdsdebug("DISCONNECT event - dropping connection " "%pI6c->%pI6c\n", &conn->c_laddr, &conn->c_faddr); rds_conn_drop(conn); Thus, possible null-pointer dereferences may occur. To fix these bugs, conn is checked before being used. These bugs are found by a static analysis tool STCheck written by us. Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> --- net/rds/rdma_transport.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)