[PATCH net] tipc: make sure bc_rcvlink is not dereferenced with NULL value

Next message: Konrad Dybcio: "Re: [PATCH 4/4] clk: implement sync_state support"
Previous message: Vincenzo Frascino: "Re: [PATCH v3 2/4] media: mali-c55: Implement CCM block validation"
Next in thread: Tung Quang Nguyen: "RE: [PATCH net] tipc: make sure bc_rcvlink is not dereferenced with NULL value"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Markov Gleb

Date: Mon Jun 29 2026 - 09:48:15 EST

From: Gleb Markov <markov.gi@xxxxxxxxxx>

The direct dependence of the tipc_link_is_up() value on l->bc_rcvlink is
not explicitly specified.

If link is up, it is assumed that the sender and receiver have valid
values (communication with the receiver is required for timeout
synchronization), which is not guaranteed in this code segment.

Turning independent conditions into nested conditions ensures that NULL
cannot be dereferenced at tipc_link_build_proto_msg() and allows for the
logical structure to be fixed at the functional interaction level.

Make tipc_link_build_proto_msg() call only if l->bc_rcvlink is not NULL.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 047491ea334a ("tipc: set link tolerance correctly in broadcast link")
Signed-off-by: Gleb Markov <markov.gi@xxxxxxxxxx>
---
net/tipc/link.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/tipc/link.c b/net/tipc/link.c
index 49dfc098d89b..b0a640c419c8 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -2863,10 +2863,12 @@ void tipc_link_set_tolerance(struct tipc_link *l, u32 tol,
struct sk_buff_head *xmitq)
{
l->tolerance = tol;
- if (l->bc_rcvlink)
+ if (l->bc_rcvlink) {
l->bc_rcvlink->tolerance = tol;
- if (tipc_link_is_up(l))
- tipc_link_build_proto_msg(l, STATE_MSG, 0, 0, 0, tol, 0, xmitq);
+ if (tipc_link_is_up(l))
+ tipc_link_build_proto_msg(l, STATE_MSG,
+ 0, 0, 0, tol, 0, xmitq);
+ }
}

void tipc_link_set_prio(struct tipc_link *l, u32 prio,
--
2.43.0