From: "Bjørn Mork" <bjorn@mork.no>
To: Vivek Kumar Bhagat <vivek.bhagat@samsung.com>
Cc: netdev@vger.kernel.org, nitin.j@samsung.com, hemanshu.s@samsung.com
Subject: Re: [PATCH] usbnet: dereference after null check in usbnet_start_xmit() and __usbnet_read_cmd()
Date: Wed, 19 Aug 2015 13:51:20 +0200 [thread overview]
Message-ID: <87fv3febt3.fsf@nemi.mork.no> (raw)
In-Reply-To: <907196681.281711439983295252.JavaMail.weblogic@ep2mlwas02b> (Vivek Kumar Bhagat's message of "Wed, 19 Aug 2015 11:21:35 +0000 (GMT)")
Vivek Kumar Bhagat <vivek.bhagat@samsung.com> writes:
> usbnet_start_xmit() - If info->tx_fixup is not defined by class driver,
> NULL check does not happen for skb pointer and leads to NULL dereference.
> __usbnet_read_cmd() - if data pointer is passed as NULL, memcpy will
> dereference NULL pointer.
That's two completely different issues. Mixing them in a single patch
is only confusing things.
> Signed-off-by: Vivek Kumar Bhagat <vivek.bhagat@samsung.com>
> ---
> drivers/net/usb/usbnet.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
> index 3c86b10..ec4d224 100644
> --- a/drivers/net/usb/usbnet.c
> +++ b/drivers/net/usb/usbnet.c
> @@ -1294,6 +1294,8 @@ netdev_tx_t usbnet_start_xmit (struct sk_buff *skb,
>
> if (skb)
> skb_tx_timestamp(skb);
> + else
> + goto drop;
>
> // some devices want funky USB-level framing, for
> // win32 driver (usually) and/or hardware quirks
This is wrong. There are usbnet minidrivers depending on info->tx_fixup
being called with a NULL skb.
> @@ -1906,7 +1908,8 @@ static int __usbnet_read_cmd(struct usbnet *dev, u8 cmd, u8 reqtype,
> buf = kmalloc(size, GFP_KERNEL);
> if (!buf)
> goto out;
> - }
> + } else
> + goto out;
>
> err = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
> cmd, reqtype, value, index, buf, size,
This is also wrong. It makes __usbnet_read_cmd() return -ENOMEM if
called with a NULL data pointer. I don't know if it is used, but it's
perfectly valid to call __usbnet_read_cmd() with data == NULL if
size == 0. No memcpy will happen in this case because usb_control_msg
can only return 0 or an error
Please don't submit any more such patches without proper justification.
You cannot trust that someone will actually take the time to sanity
check your changes. Patches claiming to fix a NULL dereference should
at least provide an oops.
Bjørn
next prev parent reply other threads:[~2015-08-19 11:51 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-19 11:21 [PATCH] usbnet: dereference after null check in usbnet_start_xmit() and __usbnet_read_cmd() Vivek Kumar Bhagat
2015-08-19 11:51 ` Bjørn Mork [this message]
2015-08-19 12:03 ` Bjørn Mork
-- strict thread matches above, loose matches on Subject: below --
2015-08-20 4:43 Vivek Kumar Bhagat
2015-08-20 7:29 ` Bjørn Mork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87fv3febt3.fsf@nemi.mork.no \
--to=bjorn@mork.no \
--cc=hemanshu.s@samsung.com \
--cc=netdev@vger.kernel.org \
--cc=nitin.j@samsung.com \
--cc=vivek.bhagat@samsung.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.