appletalk: Fix potential NULL pointer dereference in unregister_snap_client

register_snap_client may return NULL, all the callers check it, but only print a warning. This will result in NULL pointer dereference in unregister_snap_client and other places. It has always been used like this since v2.6 Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: YueHaibing <yuehaibing@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2025-11-04 02:30:34 +02:00 · 2019-03-14 13:47:59 +08:00 · 2019-03-14 13:47:59 +08:00 · 9804501fa1
commit 9804501fa1
parent f261c4e529
3 changed files with 25 additions and 12 deletions
--- a/include/linux/atalk.h
+++ b/include/linux/atalk.h
@ -108,7 +108,7 @@ static __inline__ struct elapaarp *aarp_hdr(struct sk_buff *skb)
 #define AARP_RESOLVE_TIME	(10 * HZ)
 extern struct datalink_proto *ddp_dl, *aarp_dl;
-extern void aarp_proto_init(void);
+extern int aarp_proto_init(void);
 /* Inter module exports */
--- a/net/appletalk/aarp.c
+++ b/net/appletalk/aarp.c
@ -879,15 +879,24 @@ static struct notifier_block aarp_notifier = {
 static unsigned char aarp_snap_id[] = { 0x00, 0x00, 0x00, 0x80, 0xF3 };
-void __init aarp_proto_init(void)
+int __init aarp_proto_init(void)
 {
 	int rc;
 	aarp_dl = register_snap_client(aarp_snap_id, aarp_rcv);
-	if (!aarp_dl)
+	if (!aarp_dl) {
 		printk(KERN_CRIT "Unable to register AARP with SNAP.\n");
 		return -ENOMEM;
 	}
 	timer_setup(&aarp_timer, aarp_expire_timeout, 0);
 	aarp_timer.expires  = jiffies + sysctl_aarp_expiry_time;
 	add_timer(&aarp_timer);
-	register_netdevice_notifier(&aarp_notifier);
+	rc = register_netdevice_notifier(&aarp_notifier);
 	if (rc) {
 		del_timer_sync(&aarp_timer);
 		unregister_snap_client(aarp_dl);
 	}
 	return rc;
 }
 /* Remove the AARP entries associated with a device. */
--- a/net/appletalk/ddp.c
+++ b/net/appletalk/ddp.c
@ -1904,9 +1904,6 @@ static unsigned char ddp_snap_id[] = { 0x08, 0x00, 0x07, 0x80, 0x9B };
 EXPORT_SYMBOL(atrtr_get_dev);
 EXPORT_SYMBOL(atalk_find_dev_addr);
 static const char atalk_err_snap[] __initconst =
 	KERN_CRIT "Unable to register DDP with SNAP.\n";
 /* Called by proto.c on kernel start up */
 static int __init atalk_init(void)
 {
@ -1921,17 +1918,22 @@ static int __init atalk_init(void)
 		goto out_proto;
 	ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv);
-	if (!ddp_dl)
+	if (!ddp_dl) {
-		printk(atalk_err_snap);
+		pr_crit("Unable to register DDP with SNAP.\n");
 		goto out_sock;
 	}
 	dev_add_pack(&ltalk_packet_type);
 	dev_add_pack(&ppptalk_packet_type);
 	rc = register_netdevice_notifier(&ddp_notifier);
 	if (rc)
-		goto out_sock;
+		goto out_snap;
 	rc = aarp_proto_init();
 	if (rc)
 		goto out_dev;
 	aarp_proto_init();
 	rc = atalk_proc_init();
 	if (rc)
 		goto out_aarp;
@ -1945,11 +1947,13 @@ static int __init atalk_init(void)
 	atalk_proc_exit();
 out_aarp:
 	aarp_cleanup_module();
 out_dev:
 	unregister_netdevice_notifier(&ddp_notifier);
-out_sock:
+out_snap:
 	dev_remove_pack(&ppptalk_packet_type);
 	dev_remove_pack(&ltalk_packet_type);
 	unregister_snap_client(ddp_dl);
 out_sock:
 	sock_unregister(PF_APPLETALK);
 out_proto:
 	proto_unregister(&ddp_proto);