Message ID | alpine.LNX.2.00.1208172230570.15699@swampdragon.chaosbits.net |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
> In net/caif/chnl_net.c::chnl_recv_cb() we call skb_header_pointer() > which may return NULL, but we do not check for a NULL pointer before > dereferencing it. > This patch adds such a NULL check and properly free's allocated memory > and return an error (-EINVAL) on failure - much better than crashing.. > > Signed-off-by: Jesper Juhl <jj@chaosbits.net> Thank you for fixing this, the patch looks good to me. Acked-by: Sjur Brændeland <sjur.brandeland@stericsson.com> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Sjur BRENDELAND <sjur.brandeland@stericsson.com> Date: Mon, 20 Aug 2012 08:33:35 +0200 >> In net/caif/chnl_net.c::chnl_recv_cb() we call skb_header_pointer() >> which may return NULL, but we do not check for a NULL pointer before >> dereferencing it. >> This patch adds such a NULL check and properly free's allocated memory >> and return an error (-EINVAL) on failure - much better than crashing.. >> >> Signed-off-by: Jesper Juhl <jj@chaosbits.net> > > Thank you for fixing this, the patch looks good to me. > Acked-by: Sjur Brændeland <sjur.brandeland@stericsson.com> Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/caif/chnl_net.c b/net/caif/chnl_net.c index 69771c0..e597733 100644 --- a/net/caif/chnl_net.c +++ b/net/caif/chnl_net.c @@ -94,6 +94,10 @@ static int chnl_recv_cb(struct cflayer *layr, struct cfpkt *pkt) /* check the version of IP */ ip_version = skb_header_pointer(skb, 0, 1, &buf); + if (!ip_version) { + kfree_skb(skb); + return -EINVAL; + } switch (*ip_version >> 4) { case 4:
In net/caif/chnl_net.c::chnl_recv_cb() we call skb_header_pointer() which may return NULL, but we do not check for a NULL pointer before dereferencing it. This patch adds such a NULL check and properly free's allocated memory and return an error (-EINVAL) on failure - much better than crashing.. Signed-off-by: Jesper Juhl <jj@chaosbits.net> --- net/caif/chnl_net.c | 4 ++++ 1 file changed, 4 insertions(+) Note: compile tested only.