aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJesper Juhl <jesper.juhl@gmail.com>2007-10-16 04:27:51 -0400
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-10-16 12:43:10 -0400
commitb1b2e7cf4a9742f61d76fcb419b1fd13159876a5 (patch)
treeda6855dbf5d1216e53d7ab27b7a2b1cce6a36a1b
parent4e3dfacaa0b8e469f412ae776f222102042d7e24 (diff)
fix possible NULL deref on low memory condition in capidrv.c::send_message()
If we fail to allocate an skb in drivers/isdn/capi/capidrv.c::send_message(), then we'll end up dereferencing a NULL pointer. Since out of memory conditions are not unheard of, I believe it is better to print a error message and just return rather than bring down the whole kernel. Sure, doing this may upset some application, but that's still better than crashing the whole system. Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com> Acked-by: Karsten Keil <kkeil@suse.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--drivers/isdn/capi/capidrv.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/isdn/capi/capidrv.c b/drivers/isdn/capi/capidrv.c
index 23b6f7bc16b7..476012b6dfac 100644
--- a/drivers/isdn/capi/capidrv.c
+++ b/drivers/isdn/capi/capidrv.c
@@ -506,9 +506,14 @@ static void send_message(capidrv_contr * card, _cmsg * cmsg)
506{ 506{
507 struct sk_buff *skb; 507 struct sk_buff *skb;
508 size_t len; 508 size_t len;
509
509 capi_cmsg2message(cmsg, cmsg->buf); 510 capi_cmsg2message(cmsg, cmsg->buf);
510 len = CAPIMSG_LEN(cmsg->buf); 511 len = CAPIMSG_LEN(cmsg->buf);
511 skb = alloc_skb(len, GFP_ATOMIC); 512 skb = alloc_skb(len, GFP_ATOMIC);
513 if (!skb) {
514 printk(KERN_ERR "capidrv::send_message: can't allocate mem\n");
515 return;
516 }
512 memcpy(skb_put(skb, len), cmsg->buf, len); 517 memcpy(skb_put(skb, len), cmsg->buf, len);
513 if (capi20_put_message(&global.ap, skb) != CAPI_NOERROR) 518 if (capi20_put_message(&global.ap, skb) != CAPI_NOERROR)
514 kfree_skb(skb); 519 kfree_skb(skb);