| Message ID | 20191213141714.26865-1-liuhangbin@gmail.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | teamd/lacp: fix segfault due to NULL pointer dereference | expand |
Fri, Dec 13, 2019 at 03:17:14PM CET, liuhangbin@gmail.com wrote: >If we set a team0 link down with lacp mode, we will call like > > - lacp_port_agg_unselect() > - lacp_switch_agg_lead() > - teamd_log_dbg() > >while the new_agg_lead in lacp_switch_agg_lead() may be NULL, then we >will got NULL pointer dereference as we called new_agg_lead->ctx in >new teamd_log_dbg(). > >Fix it by using agg_lead->ctx, which is safe as we referenced it in function >lacp_switch_agg_lead(). > >Fixes: f32310b9a5cc ("libteam: wapper teamd_log_dbg with teamd_log_dbgx") >Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> applied, thanks.
diff --git a/teamd/teamd_runner_lacp.c b/teamd/teamd_runner_lacp.c index 7d940b3..ec01237 100644 --- a/teamd/teamd_runner_lacp.c +++ b/teamd/teamd_runner_lacp.c @@ -634,7 +634,7 @@ static void lacp_switch_agg_lead(struct lacp_port *agg_lead, struct teamd_port *tdport; struct lacp_port *lacp_port; - teamd_log_dbg(new_agg_lead->ctx, "Renaming aggregator %u to %u", + teamd_log_dbg(agg_lead->ctx, "Renaming aggregator %u to %u", lacp_agg_id(agg_lead), lacp_agg_id(new_agg_lead)); if (lacp->selected_agg_lead == agg_lead) lacp->selected_agg_lead = new_agg_lead;
If we set a team0 link down with lacp mode, we will call like - lacp_port_agg_unselect() - lacp_switch_agg_lead() - teamd_log_dbg() while the new_agg_lead in lacp_switch_agg_lead() may be NULL, then we will got NULL pointer dereference as we called new_agg_lead->ctx in new teamd_log_dbg(). Fix it by using agg_lead->ctx, which is safe as we referenced it in function lacp_switch_agg_lead(). Fixes: f32310b9a5cc ("libteam: wapper teamd_log_dbg with teamd_log_dbgx") Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> --- teamd/teamd_runner_lacp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)