tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

tipc: fix nullpointer bug when subscribing to events

If a subscription request is sent to a topology server
connection, and any error occurs (malformed request, oom
or limit reached) while processing this request, TIPC should
terminate the subscriber connection. While doing so, it tries
to access fields in an already freed (or never allocated)
subscription element leading to a nullpointer exception.
We fix this by removing the subscr_terminate function and
terminate the connection immediately upon any subscription
failure.

Signed-off-by: Erik Hugne <erik.hugne@ericsson.com>
Reviewed-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Erik Hugne and committed by
David S. Miller 7fe8097c 3622c36f

+4 -19
+4 -19
net/tipc/subscr.c
··· 162 162 atomic_dec(&tn->subscription_count); 163 163 } 164 164 165 - /** 166 - * subscr_terminate - terminate communication with a subscriber 167 - * 168 - * Note: Must call it in process context since it might sleep. 169 - */ 170 - static void subscr_terminate(struct tipc_subscription *sub) 171 - { 172 - struct tipc_subscriber *subscriber = sub->subscriber; 173 - struct tipc_net *tn = net_generic(sub->net, tipc_net_id); 174 - 175 - tipc_conn_terminate(tn->topsrv, subscriber->conid); 176 - } 177 - 178 165 static void subscr_release(struct tipc_subscriber *subscriber) 179 166 { 180 167 struct tipc_subscription *sub; ··· 299 312 { 300 313 struct tipc_subscriber *subscriber = usr_data; 301 314 struct tipc_subscription *sub = NULL; 315 + struct tipc_net *tn = net_generic(net, tipc_net_id); 302 316 303 317 spin_lock_bh(&subscriber->lock); 304 - if (subscr_subscribe(net, (struct tipc_subscr *)buf, subscriber, 305 - &sub) < 0) { 306 - spin_unlock_bh(&subscriber->lock); 307 - subscr_terminate(sub); 308 - return; 309 - } 318 + subscr_subscribe(net, (struct tipc_subscr *)buf, subscriber, &sub); 310 319 if (sub) 311 320 tipc_nametbl_subscribe(sub); 321 + else 322 + tipc_conn_terminate(tn->topsrv, subscriber->conid); 312 323 spin_unlock_bh(&subscriber->lock); 313 324 } 314 325