tipc: fix a potental access after delete in tipc_sk_join()

In commit d12d2e1 "tipc: send out join messages as soon as new member is discovered") we added a call to the function tipc_group_join() without considering the case that the preceding tipc_sk_publish() might have failed, and the group item already deleted. We fix this by returning from tipc_sk_join() directly after the failed tipc_sk_publish. Reported-by: [email protected] Signed-off-by: Jon Maloy <[email protected]> Signed-off-by: David S. Miller <[email protected]>
ambv · Jan 15, 2018 · febafc8 · febafc8
1 parent 2c76b34
commit febafc8
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
@@ -2774,6 +2774,7 @@ static int tipc_sk_join(struct tipc_sock *tsk, struct tipc_group_req *mreq)
 	if (rc) {
 		tipc_group_delete(net, grp);
 		tsk->group = NULL;
+		return rc;
 	}
 	/* Eliminate any risk that a broadcast overtakes sent JOINs */
 	tsk->mc_method.rcast = true;