svn commit: r298663 - head/sys/net
Conrad E. Meyer
cem at FreeBSD.org
Tue Apr 26 20:27:18 UTC 2016
Author: cem
Date: Tue Apr 26 20:27:17 2016
New Revision: 298663
URL: https://svnweb.freebsd.org/changeset/base/298663
Log:
radix_mpath: Don't derefence a NULL pointer in for loop iteration
It seems rn_dupedkey may be NULL, because of the NULL check inside the loop.
(Also, the rt gets assigned from rn_dupedkey and NULL checked at top of loop.)
However, the for-loop update condition happens before the top-of-loop check and
dereferences 'rt' unconditionally.
Instead, NULL-check before dereferencing.
If rn_dupedkey cannot in fact be NULL, or something else protects this, feel
free to revert this and add an ASSERT of some kind instead.
This was introduced in r191080 (2009) and moved around slightly in r293657.
Reported by: Coverity
CID: 1348482
Sponsored by: EMC / Isilon Storage Division
Modified:
head/sys/net/radix_mpath.c
Modified: head/sys/net/radix_mpath.c
==============================================================================
--- head/sys/net/radix_mpath.c Tue Apr 26 20:06:35 2016 (r298662)
+++ head/sys/net/radix_mpath.c Tue Apr 26 20:27:17 2016 (r298663)
@@ -223,7 +223,7 @@ rt_mpath_selectrte(struct rtentry *rte,
hash %= total_weight;
for (weight = abs((int32_t)hash);
rt != NULL && weight >= rt->rt_weight;
- weight -= rt->rt_weight) {
+ weight -= (rt == NULL) ? 0 : rt->rt_weight) {
/* stay within the multipath routes */
if (rn->rn_dupedkey && rn->rn_mask != rn->rn_dupedkey->rn_mask)
More information about the svn-src-all
mailing list