Bug 44461
| Summary: | Missing NULL check of the return value of nla_nest_start() in function sfb_dump() | ||
|---|---|---|---|
| Product: | Drivers | Reporter: | RUC_Soft_Sec (rucsoftsec) |
| Component: | Network | Assignee: | Alan (alan) |
| Status: | RESOLVED CODE_FIX | ||
| Severity: | normal | CC: | alan, florian |
| Priority: | P1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Kernel Version: | 3.5-rc | Subsystem: | |
| Regression: | No | Bisected commit-id: | |
A patch referencing this bug report has been merged in Linux v3.5: commit 7ac2908e4b2edaec60e9090ddb4d9ceb76c05e7d Author: Alan Cox <alan@linux.intel.com> Date: Thu Jul 12 03:39:11 2012 +0000 sch_sfb: Fix missing NULL check |
In function sfb_dump() at net/sched/sch_sfb.c:542, the call to nla_nest_start() at line 559 may return a NULL pointer, thus variable opts may refer to NULL. So an invalid memory access may be triggered when nla_nest_end() is called at line 561, as there is no checking of variable opts against NULL before pointer dereference in the callee nla_nest_end(). The related code snippets in sfb_dump() and nla_nest_end() are as following. sfb_dump() @@net/sched/sch_sfb.c:559 559 opts = nla_nest_start(skb, TCA_OPTIONS); 560 NLA_PUT(skb, TCA_SFB_PARMS, sizeof(opt), &opt); 561 return nla_nest_end(skb, opts); nla_nest_end() @@include/net/netlink.h:1018 1018 static inline int nla_nest_end(struct sk_buff *skb, struct nlattr *start) 1019 { 1020 start->nla_len = skb_tail_pointer(skb) - (unsigned char *)start; 1021 return skb->len; 1022 } Generally, the return value shall be checked against NULL before used. Like the following codes in another function of the same driver. cbq_dump_class() @@net/sched/sch_cbq.c:1589 1589 nest = nla_nest_start(skb, TCA_OPTIONS); 1590 if (nest == NULL) 1591 goto nla_put_failure; 1592 if (cbq_dump_attr(skb, cl) < 0) 1593 goto nla_put_failure; 1594 nla_nest_end(skb, nest);