diff options
author | Jesper Juhl <jj@chaosbits.net> | 2011-01-21 14:40:54 -0500 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2011-01-21 15:07:38 -0500 |
commit | bdc4bf652bc0271ba8f1f25bbd3dbac90bead44e (patch) | |
tree | 0df37186346b816a1f2c3c09b091175fc0f35568 /drivers/net/wireless/rtlwifi | |
parent | 783cd01e140d9db5c2d2279a96b81e16f9d81fef (diff) |
rtlwifi: Fix possible NULL dereference
In drivers/net/wireless/rtlwifi/pci.c::_rtl_pci_rx_interrupt() we call
dev_alloc_skb(), which may fail and return NULL, but we do not check the
returned value against NULL before dereferencing the returned pointer.
This may lead to a NULL pointer dereference which means we'll crash - not
good.
In a separate call to dev_alloc_skb(), the debug level is changed so that
the failure message will always be logged.
Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/rtlwifi')
-rw-r--r-- | drivers/net/wireless/rtlwifi/pci.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/drivers/net/wireless/rtlwifi/pci.c b/drivers/net/wireless/rtlwifi/pci.c index 0fa36aa6701a..1758d4463247 100644 --- a/drivers/net/wireless/rtlwifi/pci.c +++ b/drivers/net/wireless/rtlwifi/pci.c | |||
@@ -619,6 +619,13 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw) | |||
619 | struct sk_buff *uskb = NULL; | 619 | struct sk_buff *uskb = NULL; |
620 | u8 *pdata; | 620 | u8 *pdata; |
621 | uskb = dev_alloc_skb(skb->len + 128); | 621 | uskb = dev_alloc_skb(skb->len + 128); |
622 | if (!uskb) { | ||
623 | RT_TRACE(rtlpriv, | ||
624 | (COMP_INTR | COMP_RECV), | ||
625 | DBG_EMERG, | ||
626 | ("can't alloc rx skb\n")); | ||
627 | goto done; | ||
628 | } | ||
622 | memcpy(IEEE80211_SKB_RXCB(uskb), | 629 | memcpy(IEEE80211_SKB_RXCB(uskb), |
623 | &rx_status, | 630 | &rx_status, |
624 | sizeof(rx_status)); | 631 | sizeof(rx_status)); |
@@ -641,7 +648,7 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw) | |||
641 | new_skb = dev_alloc_skb(rtlpci->rxbuffersize); | 648 | new_skb = dev_alloc_skb(rtlpci->rxbuffersize); |
642 | if (unlikely(!new_skb)) { | 649 | if (unlikely(!new_skb)) { |
643 | RT_TRACE(rtlpriv, (COMP_INTR | COMP_RECV), | 650 | RT_TRACE(rtlpriv, (COMP_INTR | COMP_RECV), |
644 | DBG_DMESG, | 651 | DBG_EMERG, |
645 | ("can't alloc skb for rx\n")); | 652 | ("can't alloc skb for rx\n")); |
646 | goto done; | 653 | goto done; |
647 | } | 654 | } |
@@ -1066,9 +1073,9 @@ static int _rtl_pci_init_rx_ring(struct ieee80211_hw *hw) | |||
1066 | struct sk_buff *skb = | 1073 | struct sk_buff *skb = |
1067 | dev_alloc_skb(rtlpci->rxbuffersize); | 1074 | dev_alloc_skb(rtlpci->rxbuffersize); |
1068 | u32 bufferaddress; | 1075 | u32 bufferaddress; |
1069 | entry = &rtlpci->rx_ring[rx_queue_idx].desc[i]; | ||
1070 | if (!skb) | 1076 | if (!skb) |
1071 | return 0; | 1077 | return 0; |
1078 | entry = &rtlpci->rx_ring[rx_queue_idx].desc[i]; | ||
1072 | 1079 | ||
1073 | /*skb->dev = dev; */ | 1080 | /*skb->dev = dev; */ |
1074 | 1081 | ||