[PATCH 1/1] staging: check return value of dev_alloc_skb() against NULL

Dan Carpenter dan.carpenter at oracle.com
Wed Oct 30 09:40:22 UTC 2013


On Mon, Oct 28, 2013 at 01:08:19PM +0800, RUC_SoftSec wrote:
> Function dev_alloc_skb() may return a NULL pointer if there is no enough memory, it should be checked against NULL before used.
> This bug is found by a static analysis tool developed by RUC_SoftSec, supported by China.X.Orion.
> 
> Signed-off-by: RUC_SoftSec <rucsoftsec at gmail.com>
> ---
>  drivers/staging/rtl8192u/r819xU_firmware.c |    8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/drivers/staging/rtl8192u/r819xU_firmware.c b/drivers/staging/rtl8192u/r819xU_firmware.c
> index bb924ac..045e48c 100644
> --- a/drivers/staging/rtl8192u/r819xU_firmware.c
> +++ b/drivers/staging/rtl8192u/r819xU_firmware.c
> @@ -66,6 +66,10 @@ bool fw_download_code(struct net_device *dev, u8 *code_virtual_address, u32 buff
>  		#else
>  		skb  = dev_alloc_skb(frag_length + 4);
>  		#endif
> +		if (skb == NULL) {
> +			rt_status = false;
> +			break;
> +		}
>  		memcpy((unsigned char *)(skb->cb),&dev,sizeof(dev));
>  		tcb_desc = (cb_desc *)(skb->cb + MAX_DEV_ADDR_SIZE);
>  		tcb_desc->queue_index = TXCMD_QUEUE;
> @@ -124,6 +128,10 @@ fwSendNullPacket(
>  
>  	//Get TCB and local buffer from common pool. (It is shared by CmdQ, MgntQ, and USB coalesce DataQ)
>  	skb  = dev_alloc_skb(Length+ 4);
> +	if (skb == NULL) {
> +		rtStatus = false;
> +		return rtStatus;

Just do:

	if (!skb)
		return false;

regards,
dan carpenter



More information about the devel mailing list