Function nal_reserve() will return NULL if the tailroom of skb is insufficient, so the return value shall be checked against NULL before used. But in function reset_per_cpu_data(), the return value of nla_reserve() (called at net/core/drop_monitor.c:90)is used without NULL check. The related code snippets are as following. reset_per_cpu_data() @@net/core/drop_monitor.c:87 87 data->skb = genlmsg_new(al, GFP_KERNEL); 88 genlmsg_put(data->skb, 0, 0, &net_drop_monitor_family, 89 0, NET_DM_CMD_ALERT); 90 nla = nla_reserve(data->skb, NLA_UNSPEC, sizeof(struct net_dm_alert_msg)); 91 msg = nla_data(nla); From looking up the source code of genlmsg_put(), whether will nla_reserve() return a NULL pointer depends on value of net_drop_mointor_family.hard_size. So I am not sure whether the missing check of variable nla against NULL is a real bug or is the author's purpose to avoid wasting time because in this context nla_reserve() will never return a NULL pointer. Thank you RUC_Soft_Sec
I am sorry to trouble, but I want to make sure whether this a real bug or a false positive. Thank you RUC_Soft_Sec
If this doesn't return a NULL pointer ever why check for it? I don't think this is a bug and would close it. Cheers Nick