aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJesper Juhl <jesper.juhl@gmail.com>2006-09-25 19:39:24 -0400
committerJeff Garzik <jeff@garzik.org>2006-09-25 20:01:19 -0400
commit46798c897e235e71e1e9c46a5e6e9adfffd8b85d (patch)
treea43e0781a3d2076321b19fc47ba2791e180e6860
parent84c22d7901f793bd267b5f79270080964b252826 (diff)
[PATCH] fix possible NULL ptr deref in forcedeth
There seems to be a possible NULL pointer deref bug in drivers/net/forcedeth.c::nv_loopback_test(). If dev_alloc_skb() fails, the next line will call skb_put() with a NULL first argument which it'll then try to deref - kaboom: a NULL pointer deref. Found by coverity (#1337). Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com> Cc: Ayaz Abdulla <aabdulla@nvidia.com> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: Stephen Hemminger <shemminger@osdl.org> Cc: Jeff Garzik <jeff@garzik.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Jeff Garzik <jeff@garzik.org>
-rw-r--r--drivers/net/forcedeth.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/drivers/net/forcedeth.c b/drivers/net/forcedeth.c
index 97db910fbc8c..eea1d66c530e 100644
--- a/drivers/net/forcedeth.c
+++ b/drivers/net/forcedeth.c
@@ -3789,6 +3789,12 @@ static int nv_loopback_test(struct net_device *dev)
3789 /* setup packet for tx */ 3789 /* setup packet for tx */
3790 pkt_len = ETH_DATA_LEN; 3790 pkt_len = ETH_DATA_LEN;
3791 tx_skb = dev_alloc_skb(pkt_len); 3791 tx_skb = dev_alloc_skb(pkt_len);
3792 if (!tx_skb) {
3793 printk(KERN_ERR "dev_alloc_skb() failed during loopback test"
3794 " of %s\n", dev->name);
3795 ret = 0;
3796 goto out;
3797 }
3792 pkt_data = skb_put(tx_skb, pkt_len); 3798 pkt_data = skb_put(tx_skb, pkt_len);
3793 for (i = 0; i < pkt_len; i++) 3799 for (i = 0; i < pkt_len; i++)
3794 pkt_data[i] = (u8)(i & 0xff); 3800 pkt_data[i] = (u8)(i & 0xff);
@@ -3853,7 +3859,7 @@ static int nv_loopback_test(struct net_device *dev)
3853 tx_skb->end-tx_skb->data, 3859 tx_skb->end-tx_skb->data,
3854 PCI_DMA_TODEVICE); 3860 PCI_DMA_TODEVICE);
3855 dev_kfree_skb_any(tx_skb); 3861 dev_kfree_skb_any(tx_skb);
3856 3862 out:
3857 /* stop engines */ 3863 /* stop engines */
3858 nv_stop_rx(dev); 3864 nv_stop_rx(dev);
3859 nv_stop_tx(dev); 3865 nv_stop_tx(dev);