| Message ID | 20190130101902.19744-1-yuehaibing@huawei.com |
|---|---|
| State | Changes Requested |
| Delegated to: | David Miller |
| Headers | show |
| Series | [-next] mISDN: hfcsusb: Fix potential NULL pointer dereference | expand |
From: YueHaibing <yuehaibing@huawei.com> Date: Wed, 30 Jan 2019 18:19:02 +0800 > There is a potential NULL pointer dereference in case > kzalloc() fails and returns NULL. > > Fixes: 69f52adb2d53 ("mISDN: Add HFC USB driver") > Signed-off-by: YueHaibing <yuehaibing@huawei.com> > --- > drivers/isdn/hardware/mISDN/hfcsusb.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c > index 124ff53..5660d5a 100644 > --- a/drivers/isdn/hardware/mISDN/hfcsusb.c > +++ b/drivers/isdn/hardware/mISDN/hfcsusb.c > @@ -263,6 +263,8 @@ hfcsusb_ph_info(struct hfcsusb *hw) > int i; > > phi = kzalloc(struct_size(phi, bch, dch->dev.nrbchan), GFP_ATOMIC); > + if (!phi) > + return; If we fail with an error and do not perform the operation we were requested to make, we must return an error to the caller, and the caller must do something reasonable with that error (perhaps return it to it's caller) and so on and so forth.
On 2019/1/31 2:10, David Miller wrote: > From: YueHaibing <yuehaibing@huawei.com> > Date: Wed, 30 Jan 2019 18:19:02 +0800 > >> There is a potential NULL pointer dereference in case >> kzalloc() fails and returns NULL. >> >> Fixes: 69f52adb2d53 ("mISDN: Add HFC USB driver") >> Signed-off-by: YueHaibing <yuehaibing@huawei.com> >> --- >> drivers/isdn/hardware/mISDN/hfcsusb.c | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c >> index 124ff53..5660d5a 100644 >> --- a/drivers/isdn/hardware/mISDN/hfcsusb.c >> +++ b/drivers/isdn/hardware/mISDN/hfcsusb.c >> @@ -263,6 +263,8 @@ hfcsusb_ph_info(struct hfcsusb *hw) >> int i; >> >> phi = kzalloc(struct_size(phi, bch, dch->dev.nrbchan), GFP_ATOMIC); >> + if (!phi) >> + return; > > If we fail with an error and do not perform the operation we were requested to > make, we must return an error to the caller, and the caller must do something > reasonable with that error (perhaps return it to it's caller) and so on and > so forth. hfcsusb_ph_info alloced the 'phi',then use it _alloc_mISDN_skb in _queue_data. while _alloc_mISDN_skb fails, it also just return without err handling,then kfree(phi). It seems that all the caller of hfcsusb_ph_info doesn't care the return value. > > . >
From: YueHaibing <yuehaibing@huawei.com> Date: Thu, 31 Jan 2019 17:41:46 +0800 > On 2019/1/31 2:10, David Miller wrote: >> From: YueHaibing <yuehaibing@huawei.com> >> Date: Wed, 30 Jan 2019 18:19:02 +0800 >> >>> There is a potential NULL pointer dereference in case >>> kzalloc() fails and returns NULL. >>> >>> Fixes: 69f52adb2d53 ("mISDN: Add HFC USB driver") >>> Signed-off-by: YueHaibing <yuehaibing@huawei.com> >>> --- >>> drivers/isdn/hardware/mISDN/hfcsusb.c | 2 ++ >>> 1 file changed, 2 insertions(+) >>> >>> diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c >>> index 124ff53..5660d5a 100644 >>> --- a/drivers/isdn/hardware/mISDN/hfcsusb.c >>> +++ b/drivers/isdn/hardware/mISDN/hfcsusb.c >>> @@ -263,6 +263,8 @@ hfcsusb_ph_info(struct hfcsusb *hw) >>> int i; >>> >>> phi = kzalloc(struct_size(phi, bch, dch->dev.nrbchan), GFP_ATOMIC); >>> + if (!phi) >>> + return; >> >> If we fail with an error and do not perform the operation we were requested to >> make, we must return an error to the caller, and the caller must do something >> reasonable with that error (perhaps return it to it's caller) and so on and >> so forth. > > > hfcsusb_ph_info alloced the 'phi',then use it _alloc_mISDN_skb in _queue_data. > while _alloc_mISDN_skb fails, it also just return without err handling,then kfree(phi). > It seems that all the caller of hfcsusb_ph_info doesn't care the return value. And that's a bug!
diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c index 124ff53..5660d5a 100644 --- a/drivers/isdn/hardware/mISDN/hfcsusb.c +++ b/drivers/isdn/hardware/mISDN/hfcsusb.c @@ -263,6 +263,8 @@ hfcsusb_ph_info(struct hfcsusb *hw) int i; phi = kzalloc(struct_size(phi, bch, dch->dev.nrbchan), GFP_ATOMIC); + if (!phi) + return; phi->dch.ch.protocol = hw->protocol; phi->dch.ch.Flags = dch->Flags; phi->dch.state = dch->state;
There is a potential NULL pointer dereference in case kzalloc() fails and returns NULL. Fixes: 69f52adb2d53 ("mISDN: Add HFC USB driver") Signed-off-by: YueHaibing <yuehaibing@huawei.com> --- drivers/isdn/hardware/mISDN/hfcsusb.c | 2 ++ 1 file changed, 2 insertions(+)