[BUG] staging: rtl8192e: possible null-pointer dereference in rtllib_wx_set_encode()

[BUG] staging: rtl8192e: possible null-pointer dereference in rtllib_wx_set_encode()

[Tuo Li]

Hello,

Our static analysis tool finds a possible null-pointer dereference in 
rtllib_wx.c in Linux 5.14.0-rc3:

The variable (*crypt)->ops is checked in:
342:    if (*crypt && (*crypt)->ops && strcmp((*crypt)->ops->name, 
"R-WEP") != 0)

This indicates that it can be NULL. If so, null-pointer dereferences 
will occur:
389:    (*crypt)->ops->set_key()
400:    len = (*crypt)->ops->get_key()

I am not quite sure whether this possible null-pointer dereference is 
real and how to fix it if it is real.
Any feedback would be appreciated, thanks!

Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>

Best wishes,
Tuo Li

Re: [BUG] staging: rtl8192e: possible null-pointer dereference in rtllib_wx_set_encode()

[Dan Carpenter]

On Wed, Aug 11, 2021 at 11:33:57AM +0800, Tuo Li wrote:
> Hello,
> 
> Our static analysis tool finds a possible null-pointer dereference in
> rtllib_wx.c in Linux 5.14.0-rc3:
> 
> The variable (*crypt)->ops is checked in:
> 342:    if (*crypt && (*crypt)->ops && strcmp((*crypt)->ops->name, "R-WEP")
> != 0)
> 
> This indicates that it can be NULL. If so, null-pointer dereferences will
> occur:
> 389:    (*crypt)->ops->set_key()
> 400:    len = (*crypt)->ops->get_key()
> 
> I am not quite sure whether this possible null-pointer dereference is real
> and how to fix it if it is real.
> Any feedback would be appreciated, thanks!
> 
> Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>

I don't *think* the check is required.

The data in ieee->crypt_info.crypt[idx] is set in rtllib_wx_set_encode()
and rtllib_wx_set_encode_ext() when we do "*crypt = new_crypt;".  (The
line is the same in both functions).  And in both cases ->ops is
non-NULL.

So probably the check should be removed.

On the other hand, I don't know the code very well and it's possible I
missed something.

regards,
dan carpenter