* [PATCH] net: brcm80211: fix potential NULL pointer dereferences
@ 2019-03-11 7:32 Kangjie Lu
2019-03-11 9:11 ` Arend Van Spriel
0 siblings, 1 reply; 2+ messages in thread
From: Kangjie Lu @ 2019-03-11 7:32 UTC (permalink / raw)
To: kjlu
Cc: pakki001, Arend van Spriel, Franky Lin, Hante Meuleman,
Chi-Hsien Lin, Wright Feng, Kalle Valo, David S. Miller,
Rafał Miłecki, Stefan Wahren, Chung-Hsien Hsu,
linux-wireless, brcm80211-dev-list.pdl, brcm80211-dev-list,
netdev, linux-kernel
In case kmemdup fails, the fix returns -ENOMEM to avoid NULL
pointer dereferences.
Signed-off-by: Kangjie Lu <kjlu@umn.edu>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index e92f6351bd22..d903a45e7b68 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -5464,6 +5464,9 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg,
conn_info->req_ie =
kmemdup(cfg->extra_buf, conn_info->req_ie_len,
GFP_KERNEL);
+ if (!conn_info->req_ie)
+ return -ENOMEM;
+
} else {
conn_info->req_ie_len = 0;
conn_info->req_ie = NULL;
@@ -5480,6 +5483,8 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg,
conn_info->resp_ie =
kmemdup(cfg->extra_buf, conn_info->resp_ie_len,
GFP_KERNEL);
+ if (!conn_info->resp_ie)
+ return -ENOMEM;
} else {
conn_info->resp_ie_len = 0;
conn_info->resp_ie = NULL;
--
2.17.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] net: brcm80211: fix potential NULL pointer dereferences
2019-03-11 7:32 [PATCH] net: brcm80211: fix potential NULL pointer dereferences Kangjie Lu
@ 2019-03-11 9:11 ` Arend Van Spriel
0 siblings, 0 replies; 2+ messages in thread
From: Arend Van Spriel @ 2019-03-11 9:11 UTC (permalink / raw)
To: Kangjie Lu
Cc: pakki001, Franky Lin, Hante Meuleman, Chi-Hsien Lin, Wright Feng,
Kalle Valo, David S. Miller, Rafał Miłecki,
Stefan Wahren, Chung-Hsien Hsu, linux-wireless,
brcm80211-dev-list.pdl, brcm80211-dev-list, netdev, linux-kernel
On 3/11/2019 8:32 AM, Kangjie Lu wrote:
> In case kmemdup fails, the fix returns -ENOMEM to avoid NULL
> pointer dereferences.
Hi Kangjie Lu,
Are you fixing any reported issue with this? If you looked further you
would see that this function is called in two places and the return
value is not checked there. So your patch is not changing anything.
Please sent a V2 addressing my comments below.
Thanks,
Arend
> Signed-off-by: Kangjie Lu <kjlu@umn.edu>
> ---
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> index e92f6351bd22..d903a45e7b68 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> @@ -5464,6 +5464,9 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg,
> conn_info->req_ie =
> kmemdup(cfg->extra_buf, conn_info->req_ie_len,
> GFP_KERNEL);
> + if (!conn_info->req_ie)
> + return -ENOMEM;
No need to return an error here. Instead set conn_info->req_ie_len to
zero here.
> +
> } else {
> conn_info->req_ie_len = 0;
> conn_info->req_ie = NULL;
> @@ -5480,6 +5483,8 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg,
> conn_info->resp_ie =
> kmemdup(cfg->extra_buf, conn_info->resp_ie_len,
> GFP_KERNEL);
> + if (!conn_info->resp_ie)
> + return -ENOMEM;
Same here for conn_info->resp_ie_len.
> } else {
> conn_info->resp_ie_len = 0;
> conn_info->resp_ie = NULL;
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-03-11 9:11 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-11 7:32 [PATCH] net: brcm80211: fix potential NULL pointer dereferences Kangjie Lu
2019-03-11 9:11 ` Arend Van Spriel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).