Function dev_alloc_skb() may return a NULL pointer, thus its return value shall be checked against NULL before used. But in function ipw_packet_received_skb(), the return value of dev_alloc_skb()(called at drivers/tty/ipwireless/network.c:349) is not checked. So an invalid memory access fault may be triggered when the return value (held by variable skb) of dev_alloc_skb() is used as a parameter of function skb_reserve() at line 350. The related code snippets are as following. ipw_packet_received_skb @@drivers/tty/ipwireless/network.c:349 349 skb = dev_alloc_skb(length + 4); 350 skb_reserve(skb, 2); 351 memcpy(skb_put(skb, length), data, length); Generally, the return value of dev_alloc_skb() is checked against NULL before it is used. Take fwnet_pd_new(), a function in file drivers/firewire/net.c, for example. fwnet_pd_new @@ drivers/firewire/net.c:400 400 new->skb = dev_alloc_skb(dg_size + net->hard_header_len + 15); 401 if (new->skb == NULL) 402 goto fail_w_fi; 403 404 skb_reserve(new->skb, (net->hard_header_len + 15) & ~15); 405 new->pbuf = skb_put(new->skb, dg_size); 406 memcpy(new->pbuf + frag_off, frag_buf, frag_len); Thanks RUC_Soft_Sec
In general please copy any network driver bugs to netdev@vger.kernel.org to get them actioned. In this case its ipwireless which happens to be half handled by me so I'll go deal with this one.
A patch referencing this bug report has been merged in Linux v3.8-rc1: commit d1519e23c2b3a518fb41daf3eceae43382433ceb Author: Alan Cox <alan@linux.intel.com> Date: Thu Nov 1 16:45:49 2012 +0000 ipwireless: don't oops if we run out of space