Function ncsi_pkg_info_all_nl() defined in net/ncsi/ncsi-netlink.c may cause a null pointer dereference as it calls nla_nest_start which may return NULL. The returned value is used in function nla_nest_end() later where the pointer is dereferenced. Codes related to this bug are shown as follows. net/ncsi/ncsi-netlink.c: 249: attr = nla_nest_start(skb, NCSI_ATTR_PACKAGE_LIST); 250 rc = ncsi_write_package_info(skb, ndp, package->id); 251 if (rc) { 252 nla_nest_cancel(skb, attr); 253 goto err; 254 } 255 256 nla_nest_end(skb, attr); --- include/net/netlink.h: 1297: static inline int nla_nest_end(struct sk_buff *skb, struct nlattr *start) 1298 { 1299 start->nla_len = skb_tail_pointer(skb) - (unsigned char *)start; 1300 return skb->len; 1301 } Thanks for attention! JW, ZG IMChecker Group, THU
Already fixed by commit 8daf1a2d7e40685054ebae680733d822ced6df62 Author: Colin Ian King <colin.king@canonical.com> Date: Mon Mar 26 12:27:12 2018 +0100 net/ncsi: check for null return from call to nla_nest_start The call to nla_nest_start calls nla_put which can lead to a NULL return so it's possible for attr to become NULL and we can potentially get a NULL pointer dereference on attr. Fix this by checking for a NULL return. Detected by CoverityScan, CID#1466125 ("Dereference null return") Fixes: 955dc68cb9b2 ("net/ncsi: Add generic netlink family") Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net>