| Message ID | 20190302203123.9182-1-pakki001@umn.edu (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Kalle Valo |
| Headers | show |
| Series | rsi: Fix NULL pointer dereference in kmalloc | expand |
On Sat, 2019-03-02 at 14:31 -0600, Aditya Pakki wrote: > kmalloc can fail in rsi_register_rates_channels but memcpy still attempts > to write to channels. The patch checks and avoids such a situation. [] > diff --git a/drivers/net/wireless/rsi/rsi_91x_mac80211.c b/drivers/net/wireless/rsi/rsi_91x_mac80211.c [] > @@ -197,6 +197,11 @@ static void rsi_register_rates_channels(struct rsi_hw *adapter, int band) It'd be better to make this return -ENOMEM on failure and test in the caller and push the failure up-stack. > > if (band == NL80211_BAND_2GHZ) { > channels = kmalloc(sizeof(rsi_2ghz_channels), GFP_KERNEL); > + if (!channels) { > + rsi_dbg(ERR_ZONE, "Failed to allocate memory\n"); Allocation error messages aren't really useful as there's a generic OOM message. > + return; > + } > + > memcpy(channels, > rsi_2ghz_channels, > sizeof(rsi_2ghz_channels)); > @@ -206,6 +211,11 @@ static void rsi_register_rates_channels(struct rsi_hw *adapter, int band) > sbands->n_bitrates = ARRAY_SIZE(rsi_rates); > } else { > channels = kmalloc(sizeof(rsi_5ghz_channels), GFP_KERNEL); > + if (!channels) { > + rsi_dbg(ERR_ZONE, "Failed to allocate memory\n"); > + return; > + } > + > memcpy(channels, > rsi_5ghz_channels, > sizeof(rsi_5ghz_channels));
On Sat, 2019-03-02 at 14:31 -0600, Aditya Pakki wrote: > kmalloc can fail in rsi_register_rates_channels but memcpy still attempts > to write to channels. The patch checks and avoids such a situation. > > Signed-off-by: Aditya Pakki <pakki001@umn.edu> > --- > drivers/net/wireless/rsi/rsi_91x_mac80211.c | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/drivers/net/wireless/rsi/rsi_91x_mac80211.c b/drivers/net/wireless/rsi/rsi_91x_mac80211.c > index e56fc83faf0e..59eb1f533d0e 100644 > --- a/drivers/net/wireless/rsi/rsi_91x_mac80211.c > +++ b/drivers/net/wireless/rsi/rsi_91x_mac80211.c > @@ -197,6 +197,11 @@ static void rsi_register_rates_channels(struct rsi_hw *adapter, int band) > > if (band == NL80211_BAND_2GHZ) { > channels = kmalloc(sizeof(rsi_2ghz_channels), GFP_KERNEL); > + if (!channels) { > + rsi_dbg(ERR_ZONE, "Failed to allocate memory\n"); > + return; > + } > + > memcpy(channels, > rsi_2ghz_channels, > sizeof(rsi_2ghz_channels)); Should probably be kmemdup() anyway though. johannes
diff --git a/drivers/net/wireless/rsi/rsi_91x_mac80211.c b/drivers/net/wireless/rsi/rsi_91x_mac80211.c index e56fc83faf0e..59eb1f533d0e 100644 --- a/drivers/net/wireless/rsi/rsi_91x_mac80211.c +++ b/drivers/net/wireless/rsi/rsi_91x_mac80211.c @@ -197,6 +197,11 @@ static void rsi_register_rates_channels(struct rsi_hw *adapter, int band) if (band == NL80211_BAND_2GHZ) { channels = kmalloc(sizeof(rsi_2ghz_channels), GFP_KERNEL); + if (!channels) { + rsi_dbg(ERR_ZONE, "Failed to allocate memory\n"); + return; + } + memcpy(channels, rsi_2ghz_channels, sizeof(rsi_2ghz_channels)); @@ -206,6 +211,11 @@ static void rsi_register_rates_channels(struct rsi_hw *adapter, int band) sbands->n_bitrates = ARRAY_SIZE(rsi_rates); } else { channels = kmalloc(sizeof(rsi_5ghz_channels), GFP_KERNEL); + if (!channels) { + rsi_dbg(ERR_ZONE, "Failed to allocate memory\n"); + return; + } + memcpy(channels, rsi_5ghz_channels, sizeof(rsi_5ghz_channels));
kmalloc can fail in rsi_register_rates_channels but memcpy still attempts to write to channels. The patch checks and avoids such a situation. Signed-off-by: Aditya Pakki <pakki001@umn.edu> --- drivers/net/wireless/rsi/rsi_91x_mac80211.c | 10 ++++++++++ 1 file changed, 10 insertions(+)