Function skb_clone() and dev_alloc_skb() may return NULL pointers if there is no enough memroy, their return values should be checked against NULL before used.
This bug is found by a static tool developed by RUC_SoftSec, supported by China.X.Orion.
Signed-off-by: RUC_SoftSec <rucsoftsec@xxxxxxxxx>
---
drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
index 59900bf..9162151 100644
--- a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
+++ b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
@@ -848,11 +848,19 @@ u8 parse_subframe(struct sk_buff *skb,
#ifdef JOHN_NOCPY
sub_skb = skb_clone(skb, GFP_ATOMIC);
+ if (sub_skb == NULL) {
+ printk("ERR in %s(), skb_clone() failed\n", __FUNCTION__);
+ return 0;
+ }
sub_skb->len = nSubframe_Length;
sub_skb->tail = sub_skb->data + nSubframe_Length;
#else
/* Allocate new skb for releasing to upper layer */
sub_skb = dev_alloc_skb(nSubframe_Length + 12);
+ if (sub_skb == NULL) {
+ printk("ERR in %s(), dev_alloc_skb() failed\n", __FUNCTION__);
+ return 0;
+ }
skb_reserve(sub_skb, 12);
data_ptr = (u8 *)skb_put(sub_skb, nSubframe_Length);
memcpy(data_ptr,skb->data,nSubframe_Length);
--
1.7.9.5
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
