Bug 60461

Summary: Missing NULL check of the return value of dev_alloc_skb() in function fw_download_code() in file drivers/staging/rtl8192e/rtl8192e/r8192E_firmware.c:35
Product: Drivers Reporter: RUC_Soft_Sec (rucsoftsec)
Component: StagingAssignee: drivers_staging (drivers_staging)
Status: NEW ---    
Severity: normal CC: danieru.dressler, hle
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 3.10 Subsystem:
Regression: No Bisected commit-id:

Description RUC_Soft_Sec 2013-07-04 06:39:56 UTC
In function fw_download_code() at drivers/staging/rtl8192e/rtl8192e/r8192E_firmware.c:35, the call to dev_alloc_skb() at line 63 may return a NULL pointer when there is no enough memory, but its return value is never checked against NULL before it is dereferenced at line 64, and thus an invalid memory access error may be triggered.
The related code snippets in function fw_download_code() are as followings.
fw_download_code @ drivers/staging/rtl8192e/rtl8192e/r8192E_firmware.c:35
  35static bool fw_download_code(struct net_device *dev, u8 *code_virtual_address,
  36                             u32 buffer_len)
  37{
             ...
  63                skb  = dev_alloc_skb(frag_length + 4);
  64                memcpy((unsigned char *)(skb->cb), &dev, sizeof(dev));
  65                tcb_desc = (struct cb_desc *)(skb->cb + MAX_DEV_ADDR_SIZE);
  66                tcb_desc->queue_index = TXCMD_QUEUE;
  67                tcb_desc->bCmdOrInit = DESC_PACKET_TYPE_INIT;
  68                tcb_desc->bLastIniPkt = bLastIniPkt;
             ...
 103}

Generally, the return value of dev_alloc_skb() shall be checked against NULL before it is used, like the following code snippets in function prism2sta_inf_authreq().
prism2sta_inf_authreq @ drivers/staging/wlan-ng/prism2sta.c:1554
1554static void prism2sta_inf_authreq(wlandevice_t *wlandev,
1555                                  hfa384x_InfFrame_t *inf)
1556{
1557        hfa384x_t *hw = (hfa384x_t *) wlandev->priv;
1558        struct sk_buff *skb;
1559
1560        skb = dev_alloc_skb(sizeof(*inf));
1561        if (skb) {
1562                skb_put(skb, sizeof(*inf));
1563                memcpy(skb->data, inf, sizeof(*inf));
1564                skb_queue_tail(&hw->authq, skb);
1565                schedule_work(&hw->link_bh);
1566        }
1567}

Thak you!

RUC_Soft_Sec, supported by China.X.Orion
Comment 1 Daniel Dressler 2014-11-05 16:15:25 UTC
A patch addressing this issue has been submitted and is awaiting review.
Comment 2 Hugo Lefeuvre 2018-05-29 00:36:08 UTC
Affected code was removed in 15d140664c94f56e67e4cf3107c000471ae72a9c. This bug report can be closed.