From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S933135AbcIEPip (ORCPT <rfc822;w@1wt.eu>);
        Mon, 5 Sep 2016 11:38:45 -0400
Received: from youngberry.canonical.com ([91.189.89.112]:35280 "EHLO
        youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932557AbcIEPim (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 5 Sep 2016 11:38:42 -0400
From: Colin King <colin.king@canonical.com>
To: Felipe Balbi <balbi@kernel.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Peter Chen <peter.chen@nxp.com>,
        Andrzej Pietrasiewicz <andrzej.p@samsung.com>,
        Nicholas Bellinger <nab@linux-iscsi.org>,
        Robert Baldyga <r.baldyga@samsung.com>,
        John Youn <John.Youn@synopsys.com>, linux-usb@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Subject: [PATCH] usb: gadget: prevent potenial null pointer dereference on skb->len
Date: Mon,  5 Sep 2016 16:37:12 +0100
Message-Id: <20160905153712.15205-1-colin.king@canonical.com>
X-Mailer: git-send-email 2.9.3
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Colin Ian King <colin.king@canonical.com>

An earlier fix partially fixed the null pointer dereference on skb->len
by moving the assignment of len after the check on skb being non-null,
however it failed to remove the erroneous dereference when assigning len.
Correctly fix this by removing the initialisation of len as was
originally intended.

Fixes: 70237dc8efd092 ("usb: gadget: function: f_eem: socket buffer may be NULL")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 drivers/usb/gadget/function/f_eem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/function/f_eem.c b/drivers/usb/gadget/function/f_eem.c
index 8741fd7..007ec6e 100644
--- a/drivers/usb/gadget/function/f_eem.c
+++ b/drivers/usb/gadget/function/f_eem.c
@@ -342,7 +342,7 @@ static struct sk_buff *eem_wrap(struct gether *port, struct sk_buff *skb)
 	struct sk_buff	*skb2 = NULL;
 	struct usb_ep	*in = port->in_ep;
 	int		headroom, tailroom, padlen = 0;
-	u16		len = skb->len;
+	u16		len;
 
 	if (!skb)
 		return NULL;
-- 
2.9.3