Bug 60401

Summary: Missing NULL check of the return value of dev_alloc_skb() in function parse_subframe() in file drivers/staging/rtl8192e/rtllib_rx.c
Product: Drivers Reporter: RUC_Soft_Sec (rucsoftsec)
Component: StagingAssignee: drivers_staging (drivers_staging)
Status: RESOLVED CODE_FIX    
Severity: normal    
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 3.10 Subsystem:
Regression: No Bisected commit-id:

Description RUC_Soft_Sec 2013-07-04 06:23:38 UTC 
In function parse_subframe() at drivers/staging/rtl8192e/rtllib_rx.c:735, the call to dev_alloc_skb() at line 780 may return a NULL pointer when there is no enough memory, but its return value is never checked against NULL before it is dereferenced in function skb_reserve()(called at line 781), and thus an invalid memory access error may be triggered. Besides, there exists the same issue when dev_alloc_skb () is called at line 828.
The related code snippets in function parse_subframe() are as followings.
parse_subframe @ drivers/staging/rtl8192e/rtllib_rx.c:735
 735static u8 parse_subframe(struct rtllib_device *ieee, struct sk_buff *skb,
 736                         struct rtllib_rx_stats *rx_stats,
 737                         struct rtllib_rxb *rxb, u8 *src, u8 *dst)
 738{
             ...
 779                /* Allocate new skb for releasing to upper layer */
 780                sub_skb = dev_alloc_skb(RTLLIB_SKBBUFFER_SIZE);
                    //NOTE: sub_skb should be checked against NULL
 781                skb_reserve(sub_skb, 12);
             ...
 827                        /* Allocate new skb for releasing to upper layer */
 828                        sub_skb = dev_alloc_skb(nSubframe_Length + 12);
                            //NOTE: sub_skb should be checked against NULL
 829                        skb_reserve(sub_skb, 12);
             ...
 857}

Generally, the return value of dev_alloc_skb() shall be checked against NULL before it is used, like the following code snippets in function ieee80211_send_bar().
ieee80211_send_bar @ net/mac80211/agg-tx.c:113
 113void ieee80211_send_bar(struct ieee80211_vif *vif, u8 *ra, u16 tid, u16 ssn)
 114{
            ...
 121        skb = dev_alloc_skb(sizeof(*bar) + local->hw.extra_tx_headroom);
 122        if (!skb)
 123                return;
 124
 125        skb_reserve(skb, local->hw.extra_tx_headroom);
            ...
 141}
Thak you!

RUC_Soft_Sec, supported by China.X.Orion