Bug 200533 - Potential NULL pointer dereference when nla_nest_start() fails in net/ncsi/ncsi-netlink.c
Summary: Potential NULL pointer dereference when nla_nest_start() fails in net/ncsi/nc...
Alias: None
Product: Networking
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Stephen Hemminger
Depends on:
Reported: 2018-07-18 07:37 UTC by Jason Wood
Modified: 2018-07-18 15:41 UTC (History)
0 users

See Also:
Kernel Version: v4.18-rc4
Tree: Mainline
Regression: No


Description Jason Wood 2018-07-18 07:37:13 UTC
Function ncsi_pkg_info_all_nl() defined in net/ncsi/ncsi-netlink.c may cause a null pointer dereference as it calls nla_nest_start which may return NULL. The returned value is used in function nla_nest_end() later where the pointer is dereferenced. Codes related to this bug are shown as follows.

  249: 	attr = nla_nest_start(skb, NCSI_ATTR_PACKAGE_LIST);
  250  	rc = ncsi_write_package_info(skb, ndp, package->id);
  251  	if (rc) {
  252		nla_nest_cancel(skb, attr);
  253		goto err;
  254	}
  256	nla_nest_end(skb, attr);

 1297: static inline int nla_nest_end(struct sk_buff *skb, struct nlattr *start)
 1298  {
 1299  	start->nla_len = skb_tail_pointer(skb) - (unsigned char *)start;
 1300	return skb->len;
 1301  }

Thanks for attention!
IMChecker Group, THU
Comment 1 Stephen Hemminger 2018-07-18 15:41:07 UTC
Already fixed by commit 8daf1a2d7e40685054ebae680733d822ced6df62
Author: Colin Ian King <colin.king@canonical.com>
Date:   Mon Mar 26 12:27:12 2018 +0100

    net/ncsi: check for null return from call to nla_nest_start
    The call to nla_nest_start calls nla_put which can lead to a NULL
    return so it's possible for attr to become NULL and we can potentially
    get a NULL pointer dereference on attr.  Fix this by checking for
    a NULL return.
    Detected by CoverityScan, CID#1466125 ("Dereference null return")
    Fixes: 955dc68cb9b2 ("net/ncsi: Add generic netlink family")
    Signed-off-by: Colin Ian King <colin.king@canonical.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

Note You need to log in before you can comment on or make changes to this bug.