[Bug 49851] New: Missing NULL check of return value of dev_alloc_skb() in function ipw_packet_received_skb()

Thu Nov 1 05:16:23 EDT 2012

https://bugzilla.kernel.org/show_bug.cgi?id=49851

           Summary: Missing NULL check of return value of dev_alloc_skb()
                    in function ipw_packet_received_skb()
           Product: Drivers
           Version: 2.5
    Kernel Version: 2.6.39
          Platform: All
        OS/Version: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: PCMCIA
        AssignedTo: linux-pcmcia at lists.infradead.org
        ReportedBy: rucsoftsec at gmail.com
        Regression: No

Function dev_alloc_skb() may return a NULL pointer, thus its return value shall
be checked against NULL before used. But in function ipw_packet_received_skb(),
the return value of dev_alloc_skb()(called at
drivers/tty/ipwireless/network.c:349) is not checked. So an invalid memory
access fault may be triggered when the return value (held by variable skb) of
dev_alloc_skb() is used as a parameter of function skb_reserve() at line 350.
The related code snippets are as following.
ipw_packet_received_skb @@drivers/tty/ipwireless/network.c:349
349        skb = dev_alloc_skb(length + 4);
350        skb_reserve(skb, 2);
351        memcpy(skb_put(skb, length), data, length);

Generally, the return value of dev_alloc_skb() is checked against NULL before
it is used. Take fwnet_pd_new(), a function in file drivers/firewire/net.c, for
example.
fwnet_pd_new @@ drivers/firewire/net.c:400
400        new->skb = dev_alloc_skb(dg_size + net->hard_header_len + 15);
401        if (new->skb == NULL)
402                goto fail_w_fi;
403
404        skb_reserve(new->skb, (net->hard_header_len + 15) & ~15);
405        new->pbuf = skb_put(new->skb, dg_size);
406        memcpy(new->pbuf + frag_off, frag_buf, frag_len);

Thanks

RUC_Soft_Sec

-- 
Configure bugmail: https://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.