diff mbox series

teamd/lacp: fix segfault due to NULL pointer dereference

Message ID 20191213141714.26865-1-liuhangbin@gmail.com (mailing list archive)
State New
Headers show
Series teamd/lacp: fix segfault due to NULL pointer dereference | expand

Commit Message

Hangbin Liu Dec. 13, 2019, 2:17 p.m. UTC
If we set a team0 link down with lacp mode, we will call like

  - lacp_port_agg_unselect()
    - lacp_switch_agg_lead()
      - teamd_log_dbg()

while the new_agg_lead in lacp_switch_agg_lead() may be NULL, then we
will got NULL pointer dereference as we called new_agg_lead->ctx in
new teamd_log_dbg().

Fix it by using agg_lead->ctx, which is safe as we referenced it in function
lacp_switch_agg_lead().

Fixes: f32310b9a5cc ("libteam: wapper teamd_log_dbg with teamd_log_dbgx")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
---
 teamd/teamd_runner_lacp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Jiri Pirko Jan. 9, 2020, 2:26 p.m. UTC | #1
Fri, Dec 13, 2019 at 03:17:14PM CET, liuhangbin@gmail.com wrote:
>If we set a team0 link down with lacp mode, we will call like
>
>  - lacp_port_agg_unselect()
>    - lacp_switch_agg_lead()
>      - teamd_log_dbg()
>
>while the new_agg_lead in lacp_switch_agg_lead() may be NULL, then we
>will got NULL pointer dereference as we called new_agg_lead->ctx in
>new teamd_log_dbg().
>
>Fix it by using agg_lead->ctx, which is safe as we referenced it in function
>lacp_switch_agg_lead().
>
>Fixes: f32310b9a5cc ("libteam: wapper teamd_log_dbg with teamd_log_dbgx")
>Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>

applied, thanks.
diff mbox series

Patch

diff --git a/teamd/teamd_runner_lacp.c b/teamd/teamd_runner_lacp.c
index 7d940b3..ec01237 100644
--- a/teamd/teamd_runner_lacp.c
+++ b/teamd/teamd_runner_lacp.c
@@ -634,7 +634,7 @@  static void lacp_switch_agg_lead(struct lacp_port *agg_lead,
 	struct teamd_port *tdport;
 	struct lacp_port *lacp_port;
 
-	teamd_log_dbg(new_agg_lead->ctx, "Renaming aggregator %u to %u",
+	teamd_log_dbg(agg_lead->ctx, "Renaming aggregator %u to %u",
 		      lacp_agg_id(agg_lead), lacp_agg_id(new_agg_lead));
 	if (lacp->selected_agg_lead == agg_lead)
 		lacp->selected_agg_lead = new_agg_lead;