From owner-svn-src-head@freebsd.org Tue Apr 26 20:27:18 2016 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 83C84B1D5E8; Tue, 26 Apr 2016 20:27:18 +0000 (UTC) (envelope-from cem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 43D581CFE; Tue, 26 Apr 2016 20:27:18 +0000 (UTC) (envelope-from cem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u3QKRHbd035266; Tue, 26 Apr 2016 20:27:17 GMT (envelope-from cem@FreeBSD.org) Received: (from cem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u3QKRHC2035265; Tue, 26 Apr 2016 20:27:17 GMT (envelope-from cem@FreeBSD.org) Message-Id: <201604262027.u3QKRHC2035265@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: cem set sender to cem@FreeBSD.org using -f From: "Conrad E. Meyer" Date: Tue, 26 Apr 2016 20:27:17 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r298663 - head/sys/net X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2016 20:27:18 -0000 Author: cem Date: Tue Apr 26 20:27:17 2016 New Revision: 298663 URL: https://svnweb.freebsd.org/changeset/base/298663 Log: radix_mpath: Don't derefence a NULL pointer in for loop iteration It seems rn_dupedkey may be NULL, because of the NULL check inside the loop. (Also, the rt gets assigned from rn_dupedkey and NULL checked at top of loop.) However, the for-loop update condition happens before the top-of-loop check and dereferences 'rt' unconditionally. Instead, NULL-check before dereferencing. If rn_dupedkey cannot in fact be NULL, or something else protects this, feel free to revert this and add an ASSERT of some kind instead. This was introduced in r191080 (2009) and moved around slightly in r293657. Reported by: Coverity CID: 1348482 Sponsored by: EMC / Isilon Storage Division Modified: head/sys/net/radix_mpath.c Modified: head/sys/net/radix_mpath.c ============================================================================== --- head/sys/net/radix_mpath.c Tue Apr 26 20:06:35 2016 (r298662) +++ head/sys/net/radix_mpath.c Tue Apr 26 20:27:17 2016 (r298663) @@ -223,7 +223,7 @@ rt_mpath_selectrte(struct rtentry *rte, hash %= total_weight; for (weight = abs((int32_t)hash); rt != NULL && weight >= rt->rt_weight; - weight -= rt->rt_weight) { + weight -= (rt == NULL) ? 0 : rt->rt_weight) { /* stay within the multipath routes */ if (rn->rn_dupedkey && rn->rn_mask != rn->rn_dupedkey->rn_mask)