From patchwork Fri Sep 10 11:58:10 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dan Carpenter <error27@gmail.com>
X-Patchwork-Id: 64385
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id D62D7B711B
	for <patchwork-incoming@ozlabs.org>;
	Fri, 10 Sep 2010 22:03:48 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753381Ab0IJL6b (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Fri, 10 Sep 2010 07:58:31 -0400
Received: from mail-qy0-f174.google.com ([209.85.216.174]:55258 "EHLO
	mail-qy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753261Ab0IJL60 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 10 Sep 2010 07:58:26 -0400
Received: by qyk36 with SMTP id 36so7191042qyk.19
	for <multiple recipients>; Fri, 10 Sep 2010 04:58:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:date:from:to:cc:subject
	:message-id:mime-version:content-type:content-disposition:user-agent;
	bh=ih/Ebdb/JYfza3enVOSGEPLHWIvbdIuXxJaKr0s/9Fc=;
	b=DRi4Pra6RnuDF0OrWJwPAt8Lyn9KGp3Qs/qCdp+Zgc9floaHLwni1Zb03xTRjKNtct
	7Z9U8uHJ+EpZwZgPjzy3LHiqiOlmv1hFmR4iDBatheFX+S7AAqbgRjTKgSvpC/Xut3YW
	MGz39wkisEdxfd6qbhsKPco4WkpLVaYrtWKms=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=date:from:to:cc:subject:message-id:mime-version:content-type
	:content-disposition:user-agent;
	b=rcvBgzZ9WFowpgXyt1TAy0B3tIdDUdDmvt1d+yOghDzeAjAGlvy8iUOW5R/z8assMj
	OrNX13dcnY4pjRl6Z9SteljCfI51bqHKPNP/24rfhskTwhYFWHERzgISd80piWvQZoJ8
	kFbrSTqSK1a7D9nDy3CwPELI+MxtqC3LyiIzg=
Received: by 10.224.37.19 with SMTP id v19mr288023qad.226.1284119905712;
	Fri, 10 Sep 2010 04:58:25 -0700 (PDT)
Received: from bicker ([41.205.146.22])
	by mx.google.com with ESMTPS id l8sm2591773qck.18.2010.09.10.04.58.18
	(version=TLSv1/SSLv3 cipher=RC4-MD5);
	Fri, 10 Sep 2010 04:58:25 -0700 (PDT)
Date: Fri, 10 Sep 2010 13:58:10 +0200
From: Dan Carpenter <error27@gmail.com>
To: Paul Mackerras <paulus@samba.org>
Cc: "David S. Miller" <davem@davemloft.net>,
	Simon Arlott <simon@fire.lp0.eu>, Ben McKeegan <ben@netservers.co.uk>,
	Stephen Hemminger <shemminger@vyatta.com>,
	Len Sorensen <lsorense@csclub.uwaterloo.ca>,
	linux-ppp@vger.kernel.org, netdev@vger.kernel.org,
	kernel-janitors@vger.kernel.org
Subject: [patch] ppp: potential NULL dereference in ppp_mp_explode()
Message-ID: <20100910115809.GF5959@bicker>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Smatch complains because we check whether "pch->chan" is NULL and then
dereference it unconditionally on the next line.  Partly the reason this
bug was introduced is because code was too complicated.  I've simplified
it a little.

Signed-off-by: Dan Carpenter <error27@gmail.com>
---
Compile tested only.  Perhaps it would be better to set pch->speed to
zero?  The comments say that zero implies the speed hasn't been set.

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/net/ppp_generic.c b/drivers/net/ppp_generic.c
index 6695a51..736b917 100644
--- a/drivers/net/ppp_generic.c
+++ b/drivers/net/ppp_generic.c
@@ -1314,8 +1314,13 @@ static int ppp_mp_explode(struct ppp *ppp, struct sk_buff *skb)
 	hdrlen = (ppp->flags & SC_MP_XSHORTSEQ)? MPHDRLEN_SSN: MPHDRLEN;
 	i = 0;
 	list_for_each_entry(pch, &ppp->channels, clist) {
-		navail += pch->avail = (pch->chan != NULL);
-		pch->speed = pch->chan->speed;
+		if (pch->chan) {
+			pch->avail = 1;
+			navail++;
+			pch->speed = pch->chan->speed;
+		} else {
+			pch->avail = 0;
+		}
 		if (pch->avail) {
 			if (skb_queue_empty(&pch->file.xq) ||
 				!pch->had_frag) {