From patchwork Thu Jan 13 21:40:11 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jesper Juhl X-Patchwork-Id: 78814 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 24360B7088 for ; Fri, 14 Jan 2011 08:41:06 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757165Ab1AMVkO (ORCPT ); Thu, 13 Jan 2011 16:40:14 -0500 Received: from swampdragon.chaosbits.net ([90.184.90.115]:26491 "EHLO swampdragon.chaosbits.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755699Ab1AMVkM (ORCPT ); Thu, 13 Jan 2011 16:40:12 -0500 Received: by swampdragon.chaosbits.net (Postfix, from userid 1000) id 29D4F9403F; Thu, 13 Jan 2011 22:40:11 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by swampdragon.chaosbits.net (Postfix) with ESMTP id 224929403B; Thu, 13 Jan 2011 22:40:11 +0100 (CET) Date: Thu, 13 Jan 2011 22:40:11 +0100 (CET) From: Jesper Juhl To: linux-kernel@vger.kernel.org cc: Oliver Neukum , Greg Kroah-Hartman , linux-usb@vger.kernel.org, netdev@vger.kernel.org, Alexey Orishko , Hans Petter Selasky Subject: [PATCH] USB CDC NCM: Don't deref NULL in cdc_ncm_rx_fixup() and don't use uninitialized variable. Message-ID: User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org skb_clone() dynamically allocates memory and may fail. If it does it returns NULL. This means we'll dereference a NULL pointer in drivers/net/usb/cdc_ncm.c::cdc_ncm_rx_fixup(). As far as I can tell, the proper way to deal with this is simply to goto the error label. Furthermore gcc complains that 'skb' may be used uninitialized: drivers/net/usb/cdc_ncm.c: In function ‘cdc_ncm_rx_fixup’: drivers/net/usb/cdc_ncm.c:922:18: warning: ‘skb’ may be used uninitialized in this function and I believe it is right. On the line where we pr_debug("invalid frame detected (ignored)" ... we are using the local variable 'skb' but nothing has ever been assigned to that variable yet. I believe the correct fix for that is to use 'skb_in' instead. Signed-off-by: Jesper Juhl --- cdc_ncm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) compile tested only. diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c index 593c104..d776c4a 100644 --- a/drivers/net/usb/cdc_ncm.c +++ b/drivers/net/usb/cdc_ncm.c @@ -1021,13 +1021,15 @@ static int cdc_ncm_rx_fixup(struct usbnet *dev, struct sk_buff *skb_in) (temp > CDC_NCM_MAX_DATAGRAM_SIZE) || (temp < ETH_HLEN)) { pr_debug("invalid frame detected (ignored)" "offset[%u]=%u, length=%u, skb=%p\n", - x, offset, temp, skb); + x, offset, temp, skb_in); if (!x) goto error; break; } else { skb = skb_clone(skb_in, GFP_ATOMIC); + if (!skb) + goto error; skb->len = temp; skb->data = ((u8 *)skb_in->data) + offset; skb_set_tail_pointer(skb, temp);