[PATCH 1/1] staging: check return value of dev_alloc_skb() against NULL

[RUC_SoftSec <rucsoftsec@xxxxxxxxx>]

Function dev_alloc_skb() may return a NULL pointer if there is no enough memory, it should be checked against NULL before used.
This bug is found by a static analysis tool developed by RUC_SoftSec, supported by China.X.Orion.

Signed-off-by: RUC_SoftSec <rucsoftsec@xxxxxxxxx>
---
 drivers/staging/rtl8192u/r819xU_firmware.c |    8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/staging/rtl8192u/r819xU_firmware.c b/drivers/staging/rtl8192u/r819xU_firmware.c
index bb924ac..045e48c 100644
--- a/drivers/staging/rtl8192u/r819xU_firmware.c
+++ b/drivers/staging/rtl8192u/r819xU_firmware.c
@@ -66,6 +66,10 @@ bool fw_download_code(struct net_device *dev, u8 *code_virtual_address, u32 buff
 		#else
 		skb  = dev_alloc_skb(frag_length + 4);
 		#endif
+		if (skb == NULL) {
+			rt_status = false;
+			break;
+		}
 		memcpy((unsigned char *)(skb->cb),&dev,sizeof(dev));
 		tcb_desc = (cb_desc *)(skb->cb + MAX_DEV_ADDR_SIZE);
 		tcb_desc->queue_index = TXCMD_QUEUE;
@@ -124,6 +128,10 @@ fwSendNullPacket(
 
 	//Get TCB and local buffer from common pool. (It is shared by CmdQ, MgntQ, and USB coalesce DataQ)
 	skb  = dev_alloc_skb(Length+ 4);
+	if (skb == NULL) {
+		rtStatus = false;
+		return rtStatus;
+	}
 	memcpy((unsigned char *)(skb->cb),&dev,sizeof(dev));
 	tcb_desc = (cb_desc *)(skb->cb + MAX_DEV_ADDR_SIZE);
 	tcb_desc->queue_index = TXCMD_QUEUE;
-- 
1.7.9.5

_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel