In function fw_download_code() at drivers/staging/rtl8192e/rtl8192e/r8192E_firmware.c:35, the call to dev_alloc_skb() at line 63 may return a NULL pointer when there is no enough memory, but its return value is never checked against NULL before it is dereferenced at line 64, and thus an invalid memory access error may be triggered. The related code snippets in function fw_download_code() are as followings. fw_download_code @ drivers/staging/rtl8192e/rtl8192e/r8192E_firmware.c:35 35static bool fw_download_code(struct net_device *dev, u8 *code_virtual_address, 36 u32 buffer_len) 37{ ... 63 skb = dev_alloc_skb(frag_length + 4); 64 memcpy((unsigned char *)(skb->cb), &dev, sizeof(dev)); 65 tcb_desc = (struct cb_desc *)(skb->cb + MAX_DEV_ADDR_SIZE); 66 tcb_desc->queue_index = TXCMD_QUEUE; 67 tcb_desc->bCmdOrInit = DESC_PACKET_TYPE_INIT; 68 tcb_desc->bLastIniPkt = bLastIniPkt; ... 103} Generally, the return value of dev_alloc_skb() shall be checked against NULL before it is used, like the following code snippets in function prism2sta_inf_authreq(). prism2sta_inf_authreq @ drivers/staging/wlan-ng/prism2sta.c:1554 1554static void prism2sta_inf_authreq(wlandevice_t *wlandev, 1555 hfa384x_InfFrame_t *inf) 1556{ 1557 hfa384x_t *hw = (hfa384x_t *) wlandev->priv; 1558 struct sk_buff *skb; 1559 1560 skb = dev_alloc_skb(sizeof(*inf)); 1561 if (skb) { 1562 skb_put(skb, sizeof(*inf)); 1563 memcpy(skb->data, inf, sizeof(*inf)); 1564 skb_queue_tail(&hw->authq, skb); 1565 schedule_work(&hw->link_bh); 1566 } 1567} Thak you! RUC_Soft_Sec, supported by China.X.Orion
A patch addressing this issue has been submitted and is awaiting review.
Affected code was removed in 15d140664c94f56e67e4cf3107c000471ae72a9c. This bug report can be closed.