Bug 44631 - Missing NULL check of the return value of get_skb() in function send_flowc()
Summary: Missing NULL check of the return value of get_skb() in function send_flowc()
Status: RESOLVED CODE_FIX
Alias: None
Product: Drivers
Classification: Unclassified
Component: Infiniband/RDMA (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: drivers_infiniband-rdma
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-13 02:16 UTC by RUC_Soft_Sec
Modified: 2014-06-25 02:40 UTC (History)
1 user (show)

See Also:
Kernel Version: 2.6.39
Tree: Mainline
Regression: No


Attachments

Description RUC_Soft_Sec 2012-07-13 02:16:03 UTC
Function get_skb() may return a NULL pointer, and its return value shall be checked before used. But in function send_flowc() after get_skb() is called(at drivers/infiniband/hw/cxgb4/cm.c:362), the return value is immediately used as a parameter of __skb_put() without NULL check. Besides, there is no check before the parameter is dereferenced in the callee function __skb_put(). So an invalid memory access may be triggered.
The related code snippets in send_flowc() are as following.
send_flowc() @@drivers/infiniband/hw/cxgb4/cm.c:362
 362        skb = get_skb(skb, flowclen, GFP_KERNEL);
 363        flowc = (struct fw_flowc_wr *)__skb_put(skb, flowclen);

And the implementation of get_skb() are as following.
get_skb() drivers/infiniband/hw/cxgb4/cm.c:301
 301static struct sk_buff *get_skb(struct sk_buff *skb, int len, gfp_t gfp)
 302{
 303        if (skb && !skb_is_nonlinear(skb) && !skb_cloned(skb)) {
 304                skb_trim(skb, 0);
 305                skb_get(skb);
 306                skb_reset_transport_header(skb);
 307        } else {
 308                skb = alloc_skb(len, gfp);
 309        }
 310        return skb;
 311}

Following is a call instance of snd_flowc.
act_establish @@drivers/infiniband/hw/cxgb4/cm.c:695
 695        /* start MPA negotiation */
 696        send_flowc(ep, NULL);

So from the source code we can see that potential NULL dereference fault exists when path act_establish()->send_flowc()->get_skb()->alloc_skb() is executed.

Thank you

RUC_Soft_Sec
Comment 1 RUC_Soft_Sec 2012-08-14 13:40:16 UTC
I am sorry to trouble, but I want to make sure whether this a real bug or a false positive.

Thank you

RUC_Soft_Sec
Comment 2 xerofoify 2014-06-18 21:01:06 UTC
RUC_Soft_SEC I fixed this issue 
a few days ago. Can you please
close this bug.
Thanks Nick

Note You need to log in before you can comment on or make changes to this bug.