[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] tmem: Prevent NULL dereference on error case



If the client / pool IDs given to tmemc_save_get_next_page are invalid,
the calculation of pagesize will dereference NULL.

Fix this by moving the calculation below the appropriate NULL check.

Signed-off-by: Matthew Daley <mattjd@xxxxxxxxx>

diff --git a/xen/common/tmem.c b/xen/common/tmem.c
index 1280537..ec59009 100644
--- a/xen/common/tmem.c
+++ b/xen/common/tmem.c
@@ -2436,10 +2436,13 @@ static NOINLINE int tmemc_save_get_next_page(int 
cli_id, uint32_t pool_id,
     OID oid;
     int ret = 0;
     struct tmem_handle h;
-    unsigned int pagesize = 1 << (pool->pageshift+12);
+    unsigned int pagesize;
 
     if ( pool == NULL || is_ephemeral(pool) )
         return -1;
+
+    pagesize = 1 << (pool->pageshift + 12);
+
     if ( bufsize < pagesize + sizeof(struct tmem_handle) )
         return -ENOMEM;
 
-- 
1.7.10.4


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.