Date: Tue, 26 Apr 2016 20:27:17 +0000 (UTC) From: "Conrad E. Meyer" <cem@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r298663 - head/sys/net Message-ID: <201604262027.u3QKRHC2035265@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cem Date: Tue Apr 26 20:27:17 2016 New Revision: 298663 URL: https://svnweb.freebsd.org/changeset/base/298663 Log: radix_mpath: Don't derefence a NULL pointer in for loop iteration It seems rn_dupedkey may be NULL, because of the NULL check inside the loop. (Also, the rt gets assigned from rn_dupedkey and NULL checked at top of loop.) However, the for-loop update condition happens before the top-of-loop check and dereferences 'rt' unconditionally. Instead, NULL-check before dereferencing. If rn_dupedkey cannot in fact be NULL, or something else protects this, feel free to revert this and add an ASSERT of some kind instead. This was introduced in r191080 (2009) and moved around slightly in r293657. Reported by: Coverity CID: 1348482 Sponsored by: EMC / Isilon Storage Division Modified: head/sys/net/radix_mpath.c Modified: head/sys/net/radix_mpath.c ============================================================================== --- head/sys/net/radix_mpath.c Tue Apr 26 20:06:35 2016 (r298662) +++ head/sys/net/radix_mpath.c Tue Apr 26 20:27:17 2016 (r298663) @@ -223,7 +223,7 @@ rt_mpath_selectrte(struct rtentry *rte, hash %= total_weight; for (weight = abs((int32_t)hash); rt != NULL && weight >= rt->rt_weight; - weight -= rt->rt_weight) { + weight -= (rt == NULL) ? 0 : rt->rt_weight) { /* stay within the multipath routes */ if (rn->rn_dupedkey && rn->rn_mask != rn->rn_dupedkey->rn_mask)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201604262027.u3QKRHC2035265>