summaryrefslogtreecommitdiffstats
path: root/net/sctp/socket.c
diff options
context:
space:
mode:
authorXin Long <lucien.xin@gmail.com>2017-06-15 11:49:08 +0200
committerDavid S. Miller <davem@davemloft.net>2017-06-15 20:40:30 +0200
commit988c7322116970696211e902b468aefec95b6ec4 (patch)
tree7117f8e2e1bb92b1591217f7e79a4ef5a54cd725 /net/sctp/socket.c
parentrxrpc: Fix several cases where a padded len isn't checked in ticket decode (diff)
downloadlinux-988c7322116970696211e902b468aefec95b6ec4.tar.xz
linux-988c7322116970696211e902b468aefec95b6ec4.zip
sctp: return next obj by passing pos + 1 into sctp_transport_get_idx
In sctp_for_each_transport, pos is used to save how many objs it has dumped. Now it gets the last obj by sctp_transport_get_idx, then gets the next obj by sctp_transport_get_next. The issue is that in the meanwhile if some objs in transport hashtable are removed and the objs nums are less than pos, sctp_transport_get_idx would return NULL and hti.walker.tbl is NULL as well. At this moment it should stop hti, instead of continue getting the next obj. Or it would cause a NULL pointer dereference in sctp_transport_get_next. This patch is to pass pos + 1 into sctp_transport_get_idx to get the next obj directly, even if pos > objs nums, it would return NULL and stop hti. Fixes: 626d16f50f39 ("sctp: export some apis or variables for sctp_diag and reuse some for proc") Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to '')
-rw-r--r--net/sctp/socket.c5
1 files changed, 2 insertions, 3 deletions
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 30aa0a529215..3a8318e518f1 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4666,9 +4666,8 @@ int sctp_for_each_transport(int (*cb)(struct sctp_transport *, void *),
if (err)
return err;
- sctp_transport_get_idx(net, &hti, pos);
- obj = sctp_transport_get_next(net, &hti);
- for (; obj && !IS_ERR(obj); obj = sctp_transport_get_next(net, &hti)) {
+ obj = sctp_transport_get_idx(net, &hti, pos + 1);
+ for (; !IS_ERR_OR_NULL(obj); obj = sctp_transport_get_next(net, &hti)) {
struct sctp_transport *transport = obj;
if (!sctp_transport_hold(transport))