https://bugzilla.kernel.org/show_bug.cgi?id=49851
Summary: Missing NULL check of return value of dev_alloc_skb() in function ipw_packet_received_skb() Product: Drivers Version: 2.5 Kernel Version: 2.6.39 Platform: All OS/Version: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: PCMCIA AssignedTo: linux-pcmcia@lists.infradead.org ReportedBy: rucsoft...@gmail.com Regression: No Function dev_alloc_skb() may return a NULL pointer, thus its return value shall be checked against NULL before used. But in function ipw_packet_received_skb(), the return value of dev_alloc_skb()(called at drivers/tty/ipwireless/network.c:349) is not checked. So an invalid memory access fault may be triggered when the return value (held by variable skb) of dev_alloc_skb() is used as a parameter of function skb_reserve() at line 350. The related code snippets are as following. ipw_packet_received_skb @@drivers/tty/ipwireless/network.c:349 349 skb = dev_alloc_skb(length + 4); 350 skb_reserve(skb, 2); 351 memcpy(skb_put(skb, length), data, length); Generally, the return value of dev_alloc_skb() is checked against NULL before it is used. Take fwnet_pd_new(), a function in file drivers/firewire/net.c, for example. fwnet_pd_new @@ drivers/firewire/net.c:400 400 new->skb = dev_alloc_skb(dg_size + net->hard_header_len + 15); 401 if (new->skb == NULL) 402 goto fail_w_fi; 403 404 skb_reserve(new->skb, (net->hard_header_len + 15) & ~15); 405 new->pbuf = skb_put(new->skb, dg_size); 406 memcpy(new->pbuf + frag_off, frag_buf, frag_len); Thanks RUC_Soft_Sec -- Configure bugmail: https://bugzilla.kernel.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. _______________________________________________ Linux PCMCIA reimplementation list http://lists.infradead.org/mailman/listinfo/linux-pcmcia