RE: [PATCH] usb: gadget: prevent potenial null pointer dereference on skb->len

Peter Chen <peter.chen@xxxxxxx> · Tue, 6 Sep 2016 01:44:29 +0000

>
>From: Colin Ian King <colin.king@xxxxxxxxxxxxx>
>
>An earlier fix partially fixed the null pointer dereference on skb->len by moving the
>assignment of len after the check on skb being non-null, however it failed to remove
>the erroneous dereference when assigning len.
>Correctly fix this by removing the initialisation of len as was originally intended.
>
>Fixes: 70237dc8efd092 ("usb: gadget: function: f_eem: socket buffer may be NULL")
>Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>
>---
> drivers/usb/gadget/function/f_eem.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/drivers/usb/gadget/function/f_eem.c b/drivers/usb/gadget/function/f_eem.c
>index 8741fd7..007ec6e 100644
>--- a/drivers/usb/gadget/function/f_eem.c
>+++ b/drivers/usb/gadget/function/f_eem.c
>@@ -342,7 +342,7 @@ static struct sk_buff *eem_wrap(struct gether *port, struct
>sk_buff *skb)
> 	struct sk_buff	*skb2 = NULL;
> 	struct usb_ep	*in = port->in_ep;
> 	int		headroom, tailroom, padlen = 0;
>-	u16		len = skb->len;
>+	u16		len;
>
> 	if (!skb)
> 		return NULL;

Sorry, my careless, Thanks for fixing it.

Acked-by: Peter Chen <peter.chen@xxxxxxx>

Peter
��.n��������+%������w��{.n�����{���)��jg��������ݢj����G�������j:+v���w�m������w�������h�����٥