From: Of Antonio Quartulli
Sent: 05 August 2015 13:52 From: Marek Lindner mareklindner@neomailbox.ch
batadv_softif_vlan_get() may return NULL which has to be verified by the caller.
...
diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c index c002961..a2fc843 100644 --- a/net/batman-adv/soft-interface.c +++ b/net/batman-adv/soft-interface.c @@ -479,6 +479,9 @@ out: */ void batadv_softif_vlan_free_ref(struct batadv_softif_vlan *vlan) {
- if (!vlan)
return;
This bit doesn't look necessary. You've added checks to some callers, the others probably don't need the check.
@@ -1066,6 +1069,9 @@ uint16_t batadv_tt_local_remove(struct batadv_priv *bat_priv,
/* decrease the reference held for this vlan */ vlan = batadv_softif_vlan_get(bat_priv, vid);
- if (!vlan)
goto out;- batadv_softif_vlan_free_ref(vlan); batadv_softif_vlan_free_ref(vlan);
That code is ringing alarm bells. If you expect to have a reference count the object better exist. If you can remove a reference count from a 'random' object then you can break the reference counting of objects.
So is this test just hiding anoter bug somewhere??
David