mwifiex: check for null return from skb_copy

Commit Message

Colin King April 13, 2019, 4:14 p.m. UTC

From: Colin Ian King <colin.king@canonical.com>

It is possible for skb_copy to return a null pointer and currently
this will cause a null pointer dereference when the function
mwifiex_uap_queue_bridged_pkt is called.  Fix this by checking for
a null return from skb_copy and return -ENOMEM.

Addresses-Coverity: ("Dereference null return")
Fixes: 838e4f449297 ("mwifiex: improve uAP RX handling")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 drivers/net/wireless/marvell/mwifiex/uap_txrx.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Dan Carpenter April 13, 2019, 7:27 p.m. UTC | #1

On Sat, Apr 13, 2019 at 05:14:38PM +0100, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
> 
> It is possible for skb_copy to return a null pointer and currently
> this will cause a null pointer dereference when the function
> mwifiex_uap_queue_bridged_pkt is called.  Fix this by checking for
> a null return from skb_copy and return -ENOMEM.
> 
> Addresses-Coverity: ("Dereference null return")
> Fixes: 838e4f449297 ("mwifiex: improve uAP RX handling")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
>  drivers/net/wireless/marvell/mwifiex/uap_txrx.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c
> index 5ce85d5727e4..b262dc78d638 100644
> --- a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c
> +++ b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c
> @@ -256,6 +256,8 @@ int mwifiex_handle_uap_rx_forward(struct mwifiex_private *priv,
>  
>  	if (is_multicast_ether_addr(ra)) {
>  		skb_uap = skb_copy(skb, GFP_ATOMIC);
> +		if (!skb_uap)
> +			return -ENOMEM;

I think we would want to free dev_kfree_skb_any(skb) before returning.

>  		mwifiex_uap_queue_bridged_pkt(priv, skb_uap);
>  	} else {
>  		if (mwifiex_get_sta_entry(priv, ra)) {

regards,
dan carpenter

Ganapathi Bhat June 1, 2019, 5:29 p.m. UTC | #2

Hi Dan,

> >  	if (is_multicast_ether_addr(ra)) {
> >  		skb_uap = skb_copy(skb, GFP_ATOMIC);
> > +		if (!skb_uap)
> > +			return -ENOMEM;
> 
> I think we would want to free dev_kfree_skb_any(skb) before returning.
I think if the pointer is NULL, no need to free it; 

Regards,
Ganapathi

Dan Carpenter June 1, 2019, 9:08 p.m. UTC | #3

On Sat, Jun 01, 2019 at 05:29:26PM +0000, Ganapathi Bhat wrote:
> Hi Dan,
> 
> > >  	if (is_multicast_ether_addr(ra)) {
> > >  		skb_uap = skb_copy(skb, GFP_ATOMIC);
> > > +		if (!skb_uap)
> > > +			return -ENOMEM;
> > 
> > I think we would want to free dev_kfree_skb_any(skb) before returning.
> I think if the pointer is NULL, no need to free it; 

You're misreading skb vs skb_uap.  "skb_uap" is NULL but "skb" is
non-NULL and I'm pretty sure we should free it.

regards,
dan carpenter

Ganapathi Bhat June 2, 2019, 1:56 a.m. UTC | #4

Hi Dan,

> > > >  	if (is_multicast_ether_addr(ra)) {
> > > >  		skb_uap = skb_copy(skb, GFP_ATOMIC);
> > > > +		if (!skb_uap)
> > > > +			return -ENOMEM;
> > >
> > > I think we would want to free dev_kfree_skb_any(skb) before returning.
> > I think if the pointer is NULL, no need to free it;
> 
> You're misreading skb vs skb_uap.  "skb_uap" is NULL but "skb" is non-NULL
> and I'm pretty sure we should free it.

Oh, right. I missed it; Yes you are correct.

Regards,
Ganapathi

Patch

diff --git a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c
index 5ce85d5727e4..b262dc78d638 100644
--- a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c
+++ b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c
@@ -256,6 +256,8 @@  int mwifiex_handle_uap_rx_forward(struct mwifiex_private *priv,
 
 	if (is_multicast_ether_addr(ra)) {
 		skb_uap = skb_copy(skb, GFP_ATOMIC);
+		if (!skb_uap)
+			return -ENOMEM;
 		mwifiex_uap_queue_bridged_pkt(priv, skb_uap);
 	} else {
 		if (mwifiex_get_sta_entry(priv, ra)) {