xdr_inline_decode() could fail. When it fails, the return value is NULL and should not be dereferenced. The fix checks if xdr_inline_decode fails, and if so, returns. Signed-off-by: Kangjie Lu <kjlu@xxxxxxx> --- net/sunrpc/xprtrdma/backchannel.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/sunrpc/xprtrdma/backchannel.c b/net/sunrpc/xprtrdma/backchannel.c index e5b367a3e517..bd9be5272ef4 100644 --- a/net/sunrpc/xprtrdma/backchannel.c +++ b/net/sunrpc/xprtrdma/backchannel.c @@ -285,6 +285,8 @@ void rpcrdma_bc_receive_call(struct rpcrdma_xprt *r_xprt, __be32 *p; p = xdr_inline_decode(&rep->rr_stream, 0); + if (unlikely(!p)) + goto out_overflow; size = xdr_stream_remaining(&rep->rr_stream); #ifdef RPCRDMA_BACKCHANNEL_DEBUG -- 2.17.2 (Apple Git-113)
