ibacm: Fix invalid memory dereference in acm_process_join_resp

If a join request fails, the dest pointer may not be initialized.
This can result in the ibacm daemon crashing.

Problem reported by: Kaike Wan <kaike.wan@intel.com>

Signed-off-by: Sean Hefty <sean.hefty@intel.com>

diff --git a/src/acm.c b/src/acm.c
index 851a258a62175d4b83c45fbda666059ed1bb65a1..2134ddc37e029da88c5a71bf9a87b90abc0d97e1 100644 (file)
--- a/src/acm.c
+++ b/src/acm.c
@@ -783,12 +783,12 @@ static void acm_process_join_resp(struct acm_ep *ep, struct ib_user_mad *umad)
                dest->ah = ibv_create_ah(ep->port->dev->pd, &dest->av);
                if (!dest->ah) {
                        acm_log(0, "ERROR - unable to create ah\n");
-                       goto err1;
+                       goto err2;
                }
                ret = ibv_attach_mcast(ep->qp, &mc_rec->mgid, mc_rec->mlid);
                if (ret) {
                        acm_log(0, "ERROR - unable to attach QP to multicast group\n");
-                       goto err2;
+                       goto err3;
                }
        }
 
@@ -797,11 +797,12 @@ static void acm_process_join_resp(struct acm_ep *ep, struct ib_user_mad *umad)
        acm_log(1, "join successful\n");
        lock_release(&ep->lock);
        return;
-err2:
+err3:
        ibv_destroy_ah(dest->ah);
        dest->ah = NULL;
-err1:
+err2:
        dest->state = ACM_INIT;
+err1:
        lock_release(&ep->lock);
 }