From: "Bjørn Mork" <bjorn@mork.no>
To: Vivek Kumar Bhagat <vivek.bhagat@samsung.com>
Cc: netdev@vger.kernel.org, nitin.j@samsung.com, hemanshu.s@samsung.com
Subject: Re: [PATCH] usbnet: dereference after null check in usbnet_start_xmit() and __usbnet_read_cmd()
Date: Wed, 19 Aug 2015 14:03:19 +0200 [thread overview]
Message-ID: <87bne3eb94.fsf@nemi.mork.no> (raw)
In-Reply-To: <87fv3febt3.fsf@nemi.mork.no> ("Bjørn Mork"'s message of "Wed, 19 Aug 2015 13:51:20 +0200")
Bjørn Mork <bjorn@mork.no> writes:
> Vivek Kumar Bhagat <vivek.bhagat@samsung.com> writes:
>
>> @@ -1906,7 +1908,8 @@ static int __usbnet_read_cmd(struct usbnet *dev, u8 cmd, u8 reqtype,
>> buf = kmalloc(size, GFP_KERNEL);
>> if (!buf)
>> goto out;
>> - }
>> + } else
>> + goto out;
>>
>> err = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
>> cmd, reqtype, value, index, buf, size,
>
>
> This is also wrong. It makes __usbnet_read_cmd() return -ENOMEM if
> called with a NULL data pointer. I don't know if it is used, but it's
> perfectly valid to call __usbnet_read_cmd() with data == NULL if
> size == 0. No memcpy will happen in this case because usb_control_msg
> can only return 0 or an error
Just for the record - a simple grep for usbnet_read_cmd shows that at
least drivers/net/usb/plusb.c depends on the current behaviour:
static inline int
pl_vendor_req(struct usbnet *dev, u8 req, u8 val, u8 index)
{
return usbnet_read_cmd(dev, req,
USB_DIR_IN | USB_TYPE_VENDOR |
USB_RECIP_DEVICE,
val, index, NULL, 0);
}
Bjørn
next prev parent reply other threads:[~2015-08-19 12:03 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-19 11:21 [PATCH] usbnet: dereference after null check in usbnet_start_xmit() and __usbnet_read_cmd() Vivek Kumar Bhagat
2015-08-19 11:51 ` Bjørn Mork
2015-08-19 12:03 ` Bjørn Mork [this message]
-- strict thread matches above, loose matches on Subject: below --
2015-08-20 4:43 Vivek Kumar Bhagat
2015-08-20 7:29 ` Bjørn Mork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bne3eb94.fsf@nemi.mork.no \
--to=bjorn@mork.no \
--cc=hemanshu.s@samsung.com \
--cc=netdev@vger.kernel.org \
--cc=nitin.j@samsung.com \
--cc=vivek.bhagat@samsung.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.