Colin Ian King <colin.k...@canonical.com> wrote:
> I think the following part of the patch is problematic:
>
> call = rxrpc_find_call_by_user_ID(rx, user_call_ID);
> if (!call) {
> + ret = -EBADSLT;
> if (cmd != RXRPC_CMD_SEND_DATA)
> - return -EBADSLT;
> + goto error_release_sock;
> + ret = -EBUSY;
>
> At this point call is null, so the following code is performing a null
> pointer dereference on call when accessing call->state.
>
> Detected by CoverityScan CID#1414316 ("Dereference after null check")
>
> + if (call->state == RXRPC_CALL_UNINITIALISED ||
> + call->state == RXRPC_CALL_CLIENT_AWAIT_CONN ||
> + call->state == RXRPC_CALL_SERVER_PREALLOC ||
> + call->state == RXRPC_CALL_SERVER_SECURING ||
> + call->state == RXRPC_CALL_SERVER_ACCEPTING)
> + goto error_release_sock;
> call = rxrpc_new_client_call_for_sendmsg(rx, msg,
> user_call_ID,
Good catch, thanks, I put the state check in the wrong half of the
if-statement.
David
