Function nla_nest_start() may return a NULL pointer, and its return value shall be checked before used. But in function sfb_dump() after nla_nest_start() is called(at net/sched/sch_sfb.c:559), the return value is immediately used as a parameter of nla_nest_end() without NULL check. Besides, there is no check before the parameter is dereferenced in the callee function nla_nest_end(). So an invalid memory access may be triggered. The related code snippets in sfb_dump() are as following. sfb_dump() @@net/sched/sch_sfb.c:559 559 opts = nla_nest_start(skb, TCA_OPTIONS); 560 NLA_PUT(skb, TCA_SFB_PARMS, sizeof(opt), &opt); 561 return nla_nest_end(skb, opts); Generally, the return value of nla_nest_start() shall be checked against NULL before it is used, like the following code snippets in function mk_reply(). mk_reply @ kernel/taskstats.c:364 364 static struct taskstats *mk_reply(struct sk_buff *skb, int type, u32 pid) 365 { 366 struct nlattr *na, *ret; 367 int aggr; 368 369 aggr = (type == TASKSTATS_TYPE_PID) 370 ? TASKSTATS_TYPE_AGGR_PID 371 : TASKSTATS_TYPE_AGGR_TGID; 372 ... 392 #ifdef TASKSTATS_NEEDS_PADDING 393 if (nla_put(skb, TASKSTATS_TYPE_NULL, 0, NULL) < 0) 394 goto err; 395 #endif 396 na = nla_nest_start(skb, aggr); 397 if (!na) 398 goto err; 399 400 if (nla_put(skb, type, sizeof(pid), &pid) < 0) 401 goto err; ... 409 return NULL; 410 } Thak you! RUC_Soft_Sec, supported by China.X.Orion
sfb case fixed in: commit 7ac2908e4b2edaec60e9090ddb4d9ceb76c05e7d Author: Alan Cox <alan@linux.intel.com> Date: Thu Jul 12 03:39:11 2012 +0000 sch_sfb: Fix missing NULL check Resolves-bug: https://bugzilla.kernel.org/show_bug.cgi?id=44461 Signed-off-by: Alan Cox <alan@linux.intel.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>