dpa_offload: Avoid dereferencing a NULL pointer in case of corrupted user params

In the dpa_classifier function "try_compatible_node" there are some
places where the header manipulation operation flags are compared to
the configuration of an existing header manipulation node. The control
path however doesn't suspend in case an inconsistency is found in the
flags and, in some rare cases when users provide corrupt parameters,
there is a danger to dereference a NULL hm_node pointer.

Change-Id: I355862c146a228e5878272156adaf92a76391ce6
Signed-off-by: Marian Chereji <marian.chereji@freescale.com>
Reviewed-on: http://git.am.freescale.net:8181/23111
Tested-by: Review Code-CDREVIEW <CDREVIEW@freescale.com>
Reviewed-by: Anca Jeanina Floarea <AncaJeanina.Floarea@freescale.com>
Reviewed-by: Richard Schmitt <richard.schmitt@freescale.com>

1 files changed, 7 insertions, 2 deletions

diff --git a/drivers/staging/fsl_dpa_offload/dpa_classifier.c b/drivers/staging/fsl_dpa_offload/dpa_classifier.c
index 20b0143..e360e09 100644
--- a/drivers/staging/fsl_dpa_offload/dpa_classifier.c
+++ b/drivers/staging/fsl_dpa_offload/dpa_classifier.c
@@ -3896,8 +3896,10 @@ static struct dpa_cls_hm_node *try_compatible_node(const struct dpa_cls_hm *hm)
 		 * compatible for aggregation:
 		 */
 		if ((hm->update_params.op_flags & update_flags) &&
-			(hm_node->params.u.hdr.fieldUpdate))
+			(hm_node->params.u.hdr.fieldUpdate)) {
 			hm_node = NULL;
+			break;
+		}
 
 		/*
 		 * If in the previous HM node the custom header replace
@@ -3928,8 +3930,11 @@ static struct dpa_cls_hm_node *try_compatible_node(const struct dpa_cls_hm *hm)
 			 * not compatible for aggregation:
 			 */
 			if ((hm->vlan_params.egress.num_tags) &&
-				(hm_node->params.u.hdr.insrt))
+				(hm_node->params.u.hdr.insrt)) {
 				hm_node = NULL;
+				break;
+			}
+
 			/*
 			 * If in the previous HM node the update operation is
 			 * already used and we need to do VLAN update, then it