Bug 60411

In function SendTxCommandPacket() at drivers/staging/rtl8192u/r819xU_cmdpkt.c:42, the call to dev_alloc_skb() at line 58 may return a NULL pointer when there is no enough memory, but its return value is never checked against NULL before it is dereferenced at line 59, and thus an invalid memory access error may be triggered.
The related code snippets in function SendTxCommandPacket() are as followings.
SendTxCommandPacket @ drivers/staging/rtl8192u/r819xU_cmdpkt.c:42
  42SendTxCommandPacket(
  43        struct net_device *dev,
  44        void* pData,
  45        u32   DataLen
  46        )
  47{
            ...
  58        skb  = dev_alloc_skb(USB_HWDESC_HEADER_LEN + DataLen + 4);
            //NOTE: skb should be checked against NULL
  59        memcpy((unsigned char *)(skb->cb),&dev,sizeof(dev));
  60        tcb_desc = (cb_desc*)(skb->cb + MAX_DEV_ADDR_SIZE);
  61        tcb_desc->queue_index = TXCMD_QUEUE;
  62        tcb_desc->bCmdOrInit = DESC_PACKET_TYPE_NORMAL;
  63        tcb_desc->bLastIniPkt = 0;
  64        skb_reserve(skb, USB_HWDESC_HEADER_LEN);
            ...
  80}

Generally, the return value of dev_alloc_skb() shall be checked against NULL before it is used, like the following code snippets in function ieee80211_send_bar().
ieee80211_send_bar @ net/mac80211/agg-tx.c:113
 113void ieee80211_send_bar(struct ieee80211_vif *vif, u8 *ra, u16 tid, u16 ssn)
 114{
            ...
 121        skb = dev_alloc_skb(sizeof(*bar) + local->hw.extra_tx_headroom);
 122        if (!skb)
 123                return;
 124
 125        skb_reserve(skb, local->hw.extra_tx_headroom);
            ...
 141}
Thak you!

RUC_Soft_Sec, supported by China.X.Orion