Bug 44461

Summary: Missing NULL check of the return value of nla_nest_start() in function sfb_dump()
Product: Drivers Reporter: RUC_Soft_Sec (rucsoftsec)
Component: NetworkAssignee: Alan (alan)
Status: RESOLVED CODE_FIX    
Severity: normal CC: alan, florian
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 3.5-rc Subsystem:
Regression: No Bisected commit-id:

Description RUC_Soft_Sec 2012-07-11 12:13:35 UTC
In function sfb_dump() at net/sched/sch_sfb.c:542, the call to nla_nest_start() at line 559 may return a NULL pointer, thus variable opts may refer to NULL. So an invalid memory access may be triggered when nla_nest_end() is called at line 561, as there is no checking of variable opts against NULL before pointer dereference in the callee nla_nest_end().
The related code snippets in sfb_dump() and nla_nest_end() are as following.
sfb_dump() @@net/sched/sch_sfb.c:559
 559        opts = nla_nest_start(skb, TCA_OPTIONS);
 560        NLA_PUT(skb, TCA_SFB_PARMS, sizeof(opt), &opt);
 561        return nla_nest_end(skb, opts);
nla_nest_end() @@include/net/netlink.h:1018
1018 static inline int nla_nest_end(struct sk_buff *skb, struct nlattr *start)
1019 {
1020        start->nla_len = skb_tail_pointer(skb) - (unsigned char *)start;
1021        return skb->len;
1022 }

Generally, the return value shall be checked against NULL before used. Like the following codes in another function of the same driver.
cbq_dump_class() @@net/sched/sch_cbq.c:1589
1589        nest = nla_nest_start(skb, TCA_OPTIONS);
1590        if (nest == NULL)
1591                goto nla_put_failure;
1592        if (cbq_dump_attr(skb, cl) < 0)
1593                goto nla_put_failure;
1594        nla_nest_end(skb, nest);
Comment 1 Florian Mickler 2012-07-25 19:36:27 UTC
A patch referencing this bug report has been merged in Linux v3.5:

commit 7ac2908e4b2edaec60e9090ddb4d9ceb76c05e7d
Author: Alan Cox <alan@linux.intel.com>
Date:   Thu Jul 12 03:39:11 2012 +0000

    sch_sfb: Fix missing NULL check