batman-adv: Avoid nullptr derefence in batadv_v_neigh_is_sob
Commit Message
batadv_neigh_ifinfo_get can return NULL when it cannot find (even when only
temporarily) anymore the neigh_ifinfo in the list neigh->ifinfo_list. This
has to be checked to avoid kernel Oopses when the ifinfo is dereferenced.
This a situation which isn't expected but is already handled by functions
like batadv_v_neigh_cmp. The same kind of warning is therefore used before
the function returns without dereferencing the pointers.
Fixes: b05bbab5e1fc ("batman-adv: B.A.T.M.A.N. V - implement neighbor comparison API calls")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
---
net/batman-adv/bat_v.c | 3 +++
1 file changed, 3 insertions(+)
Comments
On Friday 06 May 2016 11:22:47 Sven Eckelmann wrote:
> batadv_neigh_ifinfo_get can return NULL when it cannot find (even when only
> temporarily) anymore the neigh_ifinfo in the list neigh->ifinfo_list. This
> has to be checked to avoid kernel Oopses when the ifinfo is dereferenced.
>
> This a situation which isn't expected but is already handled by functions
> like batadv_v_neigh_cmp. The same kind of warning is therefore used before
> the function returns without dereferencing the pointers.
>
> Fixes: b05bbab5e1fc ("batman-adv: B.A.T.M.A.N. V - implement neighbor
> comparison API calls") Signed-off-by: Sven Eckelmann <sven@narfation.org>
> ---
Looks like the reference counting is also completely broken in these functions
:(
Kind regards,
Sven
@@ -286,6 +286,9 @@ static bool batadv_v_neigh_is_sob(struct batadv_neigh_node *neigh1,
ifinfo1 = batadv_neigh_ifinfo_get(neigh1, if_outgoing1);
ifinfo2 = batadv_neigh_ifinfo_get(neigh2, if_outgoing2);
+ if (WARN_ON(!ifinfo1 || !ifinfo2))
+ return false;
+
threshold = ifinfo1->bat_v.throughput / 4;
threshold = ifinfo1->bat_v.throughput - threshold;