Bug 44611

Summary: Missing NULL check of the return value of nla_reserve() in function reset_per_cpu_data()
Product: Drivers Reporter: RUC_Soft_Sec (rucsoftsec)
Component: NetworkAssignee: drivers_network (drivers_network)
Severity: normal CC: xerofoify
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.39 Tree: Mainline
Regression: No

Description RUC_Soft_Sec 2012-07-13 01:02:03 UTC
Function nal_reserve() will return NULL if the tailroom of skb is insufficient, so the return value shall be checked against NULL before used. But in function reset_per_cpu_data(), the return value of nla_reserve() (called at net/core/drop_monitor.c:90)is used without NULL check.
The related code snippets are as following.
reset_per_cpu_data() @@net/core/drop_monitor.c:87
  87        data->skb = genlmsg_new(al, GFP_KERNEL);
  88        genlmsg_put(data->skb, 0, 0, &net_drop_monitor_family,
  89                        0, NET_DM_CMD_ALERT);
  90        nla = nla_reserve(data->skb, NLA_UNSPEC, sizeof(struct net_dm_alert_msg));
  91        msg = nla_data(nla);

From looking up the source code of genlmsg_put(), whether will nla_reserve() return a NULL pointer depends on value of net_drop_mointor_family.hard_size. So I am not sure whether the missing check of variable nla against NULL is a real bug or is the author's purpose to avoid wasting time because in this context nla_reserve() will never return a NULL pointer.

Thank you

Comment 1 RUC_Soft_Sec 2012-08-14 13:39:40 UTC
I am sorry to trouble, but I want to make sure whether this a real bug or a false positive.

Thank you

Comment 2 xerofoify 2014-06-20 17:43:00 UTC
If this doesn't return a NULL pointer ever why check for it?
I don't think this is a bug and would close it.
Cheers Nick