On Mon, Oct 28, 2013 at 01:08:19PM +0800, RUC_SoftSec wrote: > Function dev_alloc_skb() may return a NULL pointer if there is no enough memory, it should be checked against NULL before used. > This bug is found by a static analysis tool developed by RUC_SoftSec, supported by China.X.Orion. > > Signed-off-by: RUC_SoftSec <rucsoftsec@xxxxxxxxx> > --- > drivers/staging/rtl8192u/r819xU_firmware.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/drivers/staging/rtl8192u/r819xU_firmware.c b/drivers/staging/rtl8192u/r819xU_firmware.c > index bb924ac..045e48c 100644 > --- a/drivers/staging/rtl8192u/r819xU_firmware.c > +++ b/drivers/staging/rtl8192u/r819xU_firmware.c > @@ -66,6 +66,10 @@ bool fw_download_code(struct net_device *dev, u8 *code_virtual_address, u32 buff > #else > skb = dev_alloc_skb(frag_length + 4); > #endif > + if (skb == NULL) { > + rt_status = false; > + break; > + } > memcpy((unsigned char *)(skb->cb),&dev,sizeof(dev)); > tcb_desc = (cb_desc *)(skb->cb + MAX_DEV_ADDR_SIZE); > tcb_desc->queue_index = TXCMD_QUEUE; > @@ -124,6 +128,10 @@ fwSendNullPacket( > > //Get TCB and local buffer from common pool. (It is shared by CmdQ, MgntQ, and USB coalesce DataQ) > skb = dev_alloc_skb(Length+ 4); > + if (skb == NULL) { > + rtStatus = false; > + return rtStatus; Just do: if (!skb) return false; regards, dan carpenter _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel