[PATCH][hid] Fix a NULL pointer dereference when we fail to allocate memory

linux-input.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH][hid] Fix a NULL pointer dereference when we fail to allocate memory
@ 2007-07-21 22:06 Jesper Juhl
  2007-07-22  5:47 ` Jiri Slaby
  2007-07-30 13:19 ` Jiri Kosina
  0 siblings, 2 replies; 5+ messages in thread
From: Jesper Juhl @ 2007-07-21 22:06 UTC (permalink / raw)
  To: Jiri Kosina
  Cc: Linux Kernel Mailing List, Michael Haboustak, Andreas Gal,
	Vojtech Pavlik, Greg Kroah-Hartman, linux-input, Jesper Juhl

Hi,

If, in usb_hid_configure(), we fail to allocate storage for 'usbhid', 
 "if (!(usbhid = kzalloc(sizeof(struct usbhid_device), GFP_KERNEL)))", 
then we'll jump to the 'fail:' label where we have this code:
        usb_free_urb(usbhid->urbin);
        usb_free_urb(usbhid->urbout);
        usb_free_urb(usbhid->urbctrl);
Since we got here because we couldn't allocate storage for 'usbhid', 
what we have here is a NULL pointer dereference - ouch...

This patch solves that little problem by adding a new 
'fail_no_usbhid:' label after the problematic calls to 
usb_free_urb() and jumps to that one instead, in the problem case.


Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
---

 drivers/hid/usbhid/hid-core.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index b2baeae..3ff7468 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -743,7 +743,7 @@ static struct hid_device *usb_hid_configure(struct usb_interface *intf)
 	hid->quirks = quirks;
 
 	if (!(usbhid = kzalloc(sizeof(struct usbhid_device), GFP_KERNEL)))
-		goto fail;
+		goto fail_no_usbhid;
 
 	hid->driver_data = usbhid;
 	usbhid->hid = hid;
@@ -877,6 +877,7 @@ fail:
 	usb_free_urb(usbhid->urbin);
 	usb_free_urb(usbhid->urbout);
 	usb_free_urb(usbhid->urbctrl);
+fail_no_usbhid:
 	hid_free_buffers(dev, hid);
 	hid_free_device(hid);
 

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH][hid] Fix a NULL pointer dereference when we fail to allocate memory
  2007-07-21 22:06 [PATCH][hid] Fix a NULL pointer dereference when we fail to allocate memory Jesper Juhl
@ 2007-07-22  5:47 ` Jiri Slaby
  2007-07-30 13:56   ` Jiri Kosina
  2007-07-30 14:04   ` Jesper Juhl
  2007-07-30 13:19 ` Jiri Kosina
  1 sibling, 2 replies; 5+ messages in thread
From: Jiri Slaby @ 2007-07-22  5:47 UTC (permalink / raw)
  To: Jesper Juhl
  Cc: Jiri Kosina, Linux Kernel Mailing List, Michael Haboustak,
	Andreas Gal, Vojtech Pavlik, Greg Kroah-Hartman, linux-input

Jesper Juhl napsal(a):
>  drivers/hid/usbhid/hid-core.c |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)
> 
> diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
> index b2baeae..3ff7468 100644
> --- a/drivers/hid/usbhid/hid-core.c
> +++ b/drivers/hid/usbhid/hid-core.c
> @@ -743,7 +743,7 @@ static struct hid_device *usb_hid_configure(struct usb_interface *intf)
>  	hid->quirks = quirks;
>  
>  	if (!(usbhid = kzalloc(sizeof(struct usbhid_device), GFP_KERNEL)))

Out of curiosity, where is this freed?

-- 
Jiri Slaby (jirislaby@gmail.com)
Faculty of Informatics, Masaryk University

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH][hid] Fix a NULL pointer dereference when we fail to allocate memory
  2007-07-21 22:06 [PATCH][hid] Fix a NULL pointer dereference when we fail to allocate memory Jesper Juhl
  2007-07-22  5:47 ` Jiri Slaby
@ 2007-07-30 13:19 ` Jiri Kosina
  1 sibling, 0 replies; 5+ messages in thread
From: Jiri Kosina @ 2007-07-30 13:19 UTC (permalink / raw)
  To: Jesper Juhl
  Cc: Jiri Kosina, Linux Kernel Mailing List, Michael Haboustak,
	Andreas Gal, Vojtech Pavlik, Greg Kroah-Hartman, linux-input

On Sun, 22 Jul 2007, Jesper Juhl wrote:

> If, in usb_hid_configure(), we fail to allocate storage for 'usbhid', 
>  "if (!(usbhid = kzalloc(sizeof(struct usbhid_device), GFP_KERNEL)))", 
> then we'll jump to the 'fail:' label where we have this code:
>         usb_free_urb(usbhid->urbin);
>         usb_free_urb(usbhid->urbout);
>         usb_free_urb(usbhid->urbctrl);
> Since we got here because we couldn't allocate storage for 'usbhid', 
> what we have here is a NULL pointer dereference - ouch...

Hi Jesper,

thanks a lot for noticing this, I have queued your patch in HID tree.

(and sorry for late reply, I was offline on vacation for some time).

-- 
Jiri Kosina

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH][hid] Fix a NULL pointer dereference when we fail to allocate memory
  2007-07-22  5:47 ` Jiri Slaby
@ 2007-07-30 13:56   ` Jiri Kosina
  2007-07-30 14:04   ` Jesper Juhl
  1 sibling, 0 replies; 5+ messages in thread
From: Jiri Kosina @ 2007-07-30 13:56 UTC (permalink / raw)
  To: Jiri Slaby
  Cc: Jesper Juhl, Linux Kernel Mailing List, Michael Haboustak,
	Andreas Gal, Greg Kroah-Hartman, linux-input

On Sun, 22 Jul 2007, Jiri Slaby wrote:

> > --- a/drivers/hid/usbhid/hid-core.c
> > +++ b/drivers/hid/usbhid/hid-core.c
> > @@ -743,7 +743,7 @@ static struct hid_device *usb_hid_configure(struct usb_interface *intf)
> >  	hid->quirks = quirks;
> >  
> >  	if (!(usbhid = kzalloc(sizeof(struct usbhid_device), GFP_KERNEL)))
> Out of curiosity, where is this freed?

I have queued the fix below on top of Jesper's patch, thanks.


diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index 3ff7468..6e73934 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -877,6 +877,7 @@ fail:
 	usb_free_urb(usbhid->urbin);
 	usb_free_urb(usbhid->urbout);
 	usb_free_urb(usbhid->urbctrl);
+	kfree(usbhid);
 fail_no_usbhid:
 	hid_free_buffers(dev, hid);
 	hid_free_device(hid);
@@ -912,6 +913,7 @@ static void hid_disconnect(struct usb_interface *intf)
 	usb_free_urb(usbhid->urbin);
 	usb_free_urb(usbhid->urbctrl);
 	usb_free_urb(usbhid->urbout);
+	kfree(usbhid);
 
 	hid_free_buffers(hid_to_usb_dev(hid), hid);
 	hid_free_device(hid);

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH][hid] Fix a NULL pointer dereference when we fail to allocate memory
  2007-07-22  5:47 ` Jiri Slaby
  2007-07-30 13:56   ` Jiri Kosina
@ 2007-07-30 14:04   ` Jesper Juhl
  1 sibling, 0 replies; 5+ messages in thread
From: Jesper Juhl @ 2007-07-30 14:04 UTC (permalink / raw)
  To: Jiri Slaby
  Cc: Jiri Kosina, Linux Kernel Mailing List, Michael Haboustak,
	Andreas Gal, Vojtech Pavlik, Greg Kroah-Hartman, linux-input

On 22/07/07, Jiri Slaby <jirislaby@gmail.com> wrote:
> Jesper Juhl napsal(a):
> >  drivers/hid/usbhid/hid-core.c |    3 ++-
> >  1 files changed, 2 insertions(+), 1 deletions(-)
> >
> > diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
> > index b2baeae..3ff7468 100644
> > --- a/drivers/hid/usbhid/hid-core.c
> > +++ b/drivers/hid/usbhid/hid-core.c
> > @@ -743,7 +743,7 @@ static struct hid_device *usb_hid_configure(struct usb_interface *intf)
> >       hid->quirks = quirks;
> >
> >       if (!(usbhid = kzalloc(sizeof(struct usbhid_device), GFP_KERNEL)))
>
> Out of curiosity, where is this freed?
>
Sorry, I didn't notice your email until now.  It's not freed anywhere
:-(   But I see that Jiri Kosina just queued a fix for that, so now
all is good :-)

-- 
Jesper Juhl <jesper.juhl@gmail.com>
Don't top-post  http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please      http://www.expita.com/nomime.html

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2007-07-30 14:04 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-07-21 22:06 [PATCH][hid] Fix a NULL pointer dereference when we fail to allocate memory Jesper Juhl
2007-07-22  5:47 ` Jiri Slaby
2007-07-30 13:56   ` Jiri Kosina
2007-07-30 14:04   ` Jesper Juhl
2007-07-30 13:19 ` Jiri Kosina

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).