[PATCH net] sctp: return next obj by passing pos + 1 into sctp_transport_get

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net] sctp: return next obj by passing pos + 1 into sctp_transport_get_idx
@ 2017-06-15  9:49 Xin Long
  2017-06-15 18:41 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Xin Long @ 2017-06-15  9:49 UTC (permalink / raw)
  To: network dev, linux-sctp; +Cc: davem, Marcelo Ricardo Leitner, Neil Horman

In sctp_for_each_transport, pos is used to save how many objs it has
dumped. Now it gets the last obj by sctp_transport_get_idx, then gets
the next obj by sctp_transport_get_next.

The issue is that in the meanwhile if some objs in transport hashtable
are removed and the objs nums are less than pos, sctp_transport_get_idx
would return NULL and hti.walker.tbl is NULL as well. At this moment
it should stop hti, instead of continue getting the next obj. Or it
would cause a NULL pointer dereference in sctp_transport_get_next.

This patch is to pass pos + 1 into sctp_transport_get_idx to get the
next obj directly, even if pos > objs nums, it would return NULL and
stop hti.

Fixes: 626d16f50f39 ("sctp: export some apis or variables for sctp_diag and reuse some for proc")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
 net/sctp/socket.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 30aa0a5..3a8318e 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4666,9 +4666,8 @@ int sctp_for_each_transport(int (*cb)(struct sctp_transport *, void *),
 	if (err)
 		return err;

-	sctp_transport_get_idx(net, &hti, pos);
-	obj = sctp_transport_get_next(net, &hti);
-	for (; obj && !IS_ERR(obj); obj = sctp_transport_get_next(net, &hti)) {
+	obj = sctp_transport_get_idx(net, &hti, pos + 1);
+	for (; !IS_ERR_OR_NULL(obj); obj = sctp_transport_get_next(net, &hti)) {
 		struct sctp_transport *transport = obj;

 		if (!sctp_transport_hold(transport))
-- 
2.1.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH net] sctp: return next obj by passing pos + 1 into sctp_transport_get_idx
  2017-06-15  9:49 [PATCH net] sctp: return next obj by passing pos + 1 into sctp_transport_get_idx Xin Long
@ 2017-06-15 18:41 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2017-06-15 18:41 UTC (permalink / raw)
  To: lucien.xin; +Cc: netdev, linux-sctp, marcelo.leitner, nhorman

From: Xin Long <lucien.xin@gmail.com>
Date: Thu, 15 Jun 2017 17:49:08 +0800

> In sctp_for_each_transport, pos is used to save how many objs it has
> dumped. Now it gets the last obj by sctp_transport_get_idx, then gets
> the next obj by sctp_transport_get_next.
> 
> The issue is that in the meanwhile if some objs in transport hashtable
> are removed and the objs nums are less than pos, sctp_transport_get_idx
> would return NULL and hti.walker.tbl is NULL as well. At this moment
> it should stop hti, instead of continue getting the next obj. Or it
> would cause a NULL pointer dereference in sctp_transport_get_next.
> 
> This patch is to pass pos + 1 into sctp_transport_get_idx to get the
> next obj directly, even if pos > objs nums, it would return NULL and
> stop hti.
> 
> Fixes: 626d16f50f39 ("sctp: export some apis or variables for sctp_diag and reuse some for proc")
> Signed-off-by: Xin Long <lucien.xin@gmail.com>

Applied and queued up for -stable, thanks.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2017-06-15 18:41 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-15  9:49 [PATCH net] sctp: return next obj by passing pos + 1 into sctp_transport_get_idx Xin Long
2017-06-15 18:41 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).