Function skb_clone() and dev_alloc_skb() may return NULL pointers if there is no enough memroy, their return values should be checked against NULL before used. This bug is found by a static tool developed by RUC_SoftSec, supported by China.X.Orion. Signed-off-by: RUC_SoftSec <rucsoftsec@xxxxxxxxx> --- drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c index 59900bf..9162151 100644 --- a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c +++ b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c @@ -848,11 +848,19 @@ u8 parse_subframe(struct sk_buff *skb, #ifdef JOHN_NOCPY sub_skb = skb_clone(skb, GFP_ATOMIC); + if (sub_skb == NULL) { + printk("ERR in %s(), skb_clone() failed\n", __FUNCTION__); + return 0; + } sub_skb->len = nSubframe_Length; sub_skb->tail = sub_skb->data + nSubframe_Length; #else /* Allocate new skb for releasing to upper layer */ sub_skb = dev_alloc_skb(nSubframe_Length + 12); + if (sub_skb == NULL) { + printk("ERR in %s(), dev_alloc_skb() failed\n", __FUNCTION__); + return 0; + } skb_reserve(sub_skb, 12); data_ptr = (u8 *)skb_put(sub_skb, nSubframe_Length); memcpy(data_ptr,skb->data,nSubframe_Length); -- 1.7.9.5 _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel