[PATCH 2/2] staging: Add NULL checks against return values of skb_clone() and dev_alloc_skb()
When there is no enough memory, functions skb_clone() and dev_alloc_skb() may
return NULL pointers, they should be checked against NULL before used.
This bug is found by a static analysis tool developed by RUC_SoftSec, supported
by China.X.Orion.
Signed-off-by: RUC_SoftSec
---
drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
index 1617f2e..1409025 100644
--- a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
+++ b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
@@ -849,7 +849,7 @@ u8 parse_subframe(struct sk_buff *skb,
#ifdef JOHN_NOCPY
sub_skb = skb_clone(skb, GFP_ATOMIC);
if (sub_skb == NULL) {
- printk("%s: skb_clone() failed, no enough
memory\n", __FUNCTION__);
+ printk("%s: skb_clone() failed\n",
__FUNCTION__);
return 0;
}
sub_skb->len = nSubframe_Length;
@@ -858,7 +858,7 @@ u8 parse_subframe(struct sk_buff *skb,
/* Allocate new skb for releasing to upper layer */
sub_skb = dev_alloc_skb(nSubframe_Length + 12);
if (sub_skb == NULL) {
- printk("%s: dev_alloc_skb() failed, no enough
memory\n", __FUNCTION__);
+ printk("%s: dev_alloc_skb() failed\n",
__FUNCTION__);
return 0;
}
skb_reserve(sub_skb, 12);
--
1.7.9.5
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH 1/1] staging: Add NULL checks to return value of skb_clone() and dev_alloc_skb()
Function skb_clone() and dev_alloc_skb() may return NULL pointers if there is
no enough memroy, their return values should be checked against NULL before
used.
This bug is found by a static tool developed by RUC_SoftSec, supported by
China.X.Orion.
Signed-off-by: RUC_SoftSec
---
drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c |8
1 file changed, 8 insertions(+)
diff --git a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
index 59900bf..9162151 100644
--- a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
+++ b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
@@ -848,11 +848,19 @@ u8 parse_subframe(struct sk_buff *skb,
#ifdef JOHN_NOCPY
sub_skb = skb_clone(skb, GFP_ATOMIC);
+ if (sub_skb == NULL) {
+ printk("ERR in %s(), skb_clone() failed\n",
__FUNCTION__);
+ return 0;
+ }
sub_skb->len = nSubframe_Length;
sub_skb->tail = sub_skb->data + nSubframe_Length;
#else
/* Allocate new skb for releasing to upper layer */
sub_skb = dev_alloc_skb(nSubframe_Length + 12);
+ if (sub_skb == NULL) {
+ printk("ERR in %s(), dev_alloc_skb() failed\n",
__FUNCTION__);
+ return 0;
+ }
skb_reserve(sub_skb, 12);
data_ptr = (u8 *)skb_put(sub_skb, nSubframe_Length);
memcpy(data_ptr,skb->data,nSubframe_Length);
--
1.7.9.5
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH 1/1] staging: check return value of dev_alloc_skb() against NULL
Function dev_alloc_skb() may return a NULL pointer if there is no enough
memory, it should be checked against NULL before used.
This bug is found by a static analysis tool developed by RUC_SoftSec, supported
by China.X.Orion.
Signed-off-by: RUC_SoftSec
---
drivers/staging/rtl8192u/r819xU_firmware.c |8
1 file changed, 8 insertions(+)
diff --git a/drivers/staging/rtl8192u/r819xU_firmware.c
b/drivers/staging/rtl8192u/r819xU_firmware.c
index bb924ac..045e48c 100644
--- a/drivers/staging/rtl8192u/r819xU_firmware.c
+++ b/drivers/staging/rtl8192u/r819xU_firmware.c
@@ -66,6 +66,10 @@ bool fw_download_code(struct net_device *dev, u8
*code_virtual_address, u32 buff
#else
skb = dev_alloc_skb(frag_length + 4);
#endif
+ if (skb == NULL) {
+ rt_status = false;
+ break;
+ }
memcpy((unsigned char *)(skb->cb),&dev,sizeof(dev));
tcb_desc = (cb_desc *)(skb->cb + MAX_DEV_ADDR_SIZE);
tcb_desc->queue_index = TXCMD_QUEUE;
@@ -124,6 +128,10 @@ fwSendNullPacket(
//Get TCB and local buffer from common pool. (It is shared by CmdQ,
MgntQ, and USB coalesce DataQ)
skb = dev_alloc_skb(Length+ 4);
+ if (skb == NULL) {
+ rtStatus = false;
+ return rtStatus;
+ }
memcpy((unsigned char *)(skb->cb),&dev,sizeof(dev));
tcb_desc = (cb_desc *)(skb->cb + MAX_DEV_ADDR_SIZE);
tcb_desc->queue_index = TXCMD_QUEUE;
--
1.7.9.5
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH 1/1] staging: Add a NULL check to return value of dev_alloc_skb()
Function dev_alloc_skb() may return a NULL pointer when there is no enough
memory, its return value should be checked before used.
This bug is found by a static analysis tool developed by RUC_SoftSec, supported
by China.X.Orion.
Signed-off-by: RUC_SoftSec
---
.../staging/rtl8192e/rtl8192e/r8192E_firmware.c|4
1 file changed, 4 insertions(+)
diff --git a/drivers/staging/rtl8192e/rtl8192e/r8192E_firmware.c
b/drivers/staging/rtl8192e/rtl8192e/r8192E_firmware.c
index dd2a96b..baf15d7 100644
--- a/drivers/staging/rtl8192e/rtl8192e/r8192E_firmware.c
+++ b/drivers/staging/rtl8192e/rtl8192e/r8192E_firmware.c
@@ -61,6 +61,10 @@ static bool fw_download_code(struct net_device *dev, u8
*code_virtual_address,
}
skb = dev_alloc_skb(frag_length + 4);
+ if (skb == NULL) {
+ rt_status = true;
+ break;
+ }
memcpy((unsigned char *)(skb->cb), &dev, sizeof(dev));
tcb_desc = (struct cb_desc *)(skb->cb + MAX_DEV_ADDR_SIZE);
tcb_desc->queue_index = TXCMD_QUEUE;
--
1.7.9.5
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
