Null dereference in uli526x_rx_packet()

Null dereference in uli526x_rx_packet()

[Dan Carpenter]

Smatch (http://repo.or.cz/w/smatch.git/) complains about the error 
handling in uli526x_rx_packet().

I don't know if the right fix is to return like this patch does or to set 
skb = rxptr->rx_skb_ptr again.

regards,
dan carpenter

--- orig/drivers/net/tulip/uli526x.c	2009-03-27 07:52:32.000000000 +0300
+++ devel/drivers/net/tulip/uli526x.c	2009-03-27 07:57:05.000000000 +0300
@@ -844,10 +844,13 @@
 
 				/* Good packet, send to upper layer */
 				/* Shorst packet used new SKB */
-				if ( (rxlen < RX_COPY_SIZE) &&
-					( (skb = dev_alloc_skb(rxlen + 2) )
-					!= NULL) ) {
-					/* size less than COPY_SIZE, allocate a rxlen SKB */
+				/* size less than COPY_SIZE, allocate a rxlen SKB */
+				if (rxlen < RX_COPY_SIZE) {
+					skb = dev_alloc_skb(rxlen + 2);
+					if (!skb)
+						return;
+				}
+				if (rxlen < RX_COPY_SIZE) {
 					skb_reserve(skb, 2); /* 16byte align */
 					memcpy(skb_put(skb, rxlen),
 					       skb_tail_pointer(rxptr->rx_skb_ptr),

Re: Null dereference in uli526x_rx_packet()

[Kyle McMartin]

On Fri, Mar 27, 2009 at 01:31:36PM +0300, Dan Carpenter wrote:
> Smatch (http://repo.or.cz/w/smatch.git/) complains about the error 
> handling in uli526x_rx_packet().
> 
> I don't know if the right fix is to return like this patch does or to set 
> skb = rxptr->rx_skb_ptr again.
> 

Ick... that's a good catch. I'll have to think about this.

regards, Kyle

> --- orig/drivers/net/tulip/uli526x.c	2009-03-27 07:52:32.000000000 +0300
> +++ devel/drivers/net/tulip/uli526x.c	2009-03-27 07:57:05.000000000 +0300
> @@ -844,10 +844,13 @@
>  
>  				/* Good packet, send to upper layer */
>  				/* Shorst packet used new SKB */
> -				if ( (rxlen < RX_COPY_SIZE) &&
> -					( (skb = dev_alloc_skb(rxlen + 2) )
> -					!= NULL) ) {
> -					/* size less than COPY_SIZE, allocate a rxlen SKB */
> +				/* size less than COPY_SIZE, allocate a rxlen SKB */
> +				if (rxlen < RX_COPY_SIZE) {
> +					skb = dev_alloc_skb(rxlen + 2);
> +					if (!skb)
> +						return;
> +				}
> +				if (rxlen < RX_COPY_SIZE) {
>  					skb_reserve(skb, 2); /* 16byte align */
>  					memcpy(skb_put(skb, rxlen),
>  					       skb_tail_pointer(rxptr->rx_skb_ptr),
> 

Re: Null dereference in uli526x_rx_packet()

[Kyle McMartin]

On Fri, Mar 27, 2009 at 10:47:54PM -0400, Kyle McMartin wrote:
> > I don't know if the right fix is to return like this patch does or to set 
> > skb = rxptr->rx_skb_ptr again.
> > 
> 
> Ick... that's a good catch. I'll have to think about this.
> 

I think this is alright, it at least keeps the original intent of the
code. I don't pretend to have figured it out yet though.

I'll stare more at this Monday...

I guess the real question is does anyone still have one of these
cards. I don't think I do, just the proper tulips. :/

diff --git a/drivers/net/tulip/uli526x.c b/drivers/net/tulip/uli526x.c
index 030e02e..9264a58 100644
--- a/drivers/net/tulip/uli526x.c
+++ b/drivers/net/tulip/uli526x.c
@@ -840,13 +840,15 @@ static void uli526x_rx_packet(struct net_device *dev, struct uli526x_board_info
 
 			if ( !(rdes0 & 0x8000) ||
 				((db->cr6_data & CR6_PM) && (rxlen>6)) ) {
+				struct sk_buff *new_skb = NULL;
+
 				skb = rxptr->rx_skb_ptr;
 
 				/* Good packet, send to upper layer */
 				/* Shorst packet used new SKB */
-				if ( (rxlen < RX_COPY_SIZE) &&
-					( (skb = dev_alloc_skb(rxlen + 2) )
-					!= NULL) ) {
+				if ((rxlen < RX_COPY_SIZE) &&
+				    ((new_skb = dev_alloc_skb(rxlen + 2) != NULL))) {
+					skb = new_skb;
 					/* size less than COPY_SIZE, allocate a rxlen SKB */
 					skb_reserve(skb, 2); /* 16byte align */
 					memcpy(skb_put(skb, rxlen),

Re: Null dereference in uli526x_rx_packet()

[Grant Grundler]

On Fri, Mar 27, 2009 at 11:23:32PM -0400, Kyle McMartin wrote:
> On Fri, Mar 27, 2009 at 10:47:54PM -0400, Kyle McMartin wrote:
> > > I don't know if the right fix is to return like this patch does or to set 
> > > skb = rxptr->rx_skb_ptr again.
> > > 
> > 
> > Ick... that's a good catch. I'll have to think about this.
> > 
> 
> I think this is alright, it at least keeps the original intent of the
> code. I don't pretend to have figured it out yet though.
> 
> I'll stare more at this Monday...
> 
> I guess the real question is does anyone still have one of these
> cards. I don't think I do, just the proper tulips. :/

Ditto. AFAIK, I only have tulips.

Patch below looks right to me. Clobbering the skb is certainly wrong.

Acked-by: Grant Grundler <grundler@parisc-linux.org>

thanks,
grant

> diff --git a/drivers/net/tulip/uli526x.c b/drivers/net/tulip/uli526x.c
> index 030e02e..9264a58 100644
> --- a/drivers/net/tulip/uli526x.c
> +++ b/drivers/net/tulip/uli526x.c
> @@ -840,13 +840,15 @@ static void uli526x_rx_packet(struct net_device *dev, struct uli526x_board_info
>  
>  			if ( !(rdes0 & 0x8000) ||
>  				((db->cr6_data & CR6_PM) && (rxlen>6)) ) {
> +				struct sk_buff *new_skb = NULL;
> +
>  				skb = rxptr->rx_skb_ptr;
>  
>  				/* Good packet, send to upper layer */
>  				/* Shorst packet used new SKB */
> -				if ( (rxlen < RX_COPY_SIZE) &&
> -					( (skb = dev_alloc_skb(rxlen + 2) )
> -					!= NULL) ) {
> +				if ((rxlen < RX_COPY_SIZE) &&
> +				    ((new_skb = dev_alloc_skb(rxlen + 2) != NULL))) {
> +					skb = new_skb;
>  					/* size less than COPY_SIZE, allocate a rxlen SKB */
>  					skb_reserve(skb, 2); /* 16byte align */
>  					memcpy(skb_put(skb, rxlen),

Re: Null dereference in uli526x_rx_packet()

[David Miller]

From: Grant Grundler <grundler@parisc-linux.org>
Date: Sat, 28 Mar 2009 23:35:13 -0600

> On Fri, Mar 27, 2009 at 11:23:32PM -0400, Kyle McMartin wrote:
> > On Fri, Mar 27, 2009 at 10:47:54PM -0400, Kyle McMartin wrote:
> > > > I don't know if the right fix is to return like this patch does or to set 
> > > > skb = rxptr->rx_skb_ptr again.
> > > > 
> > > 
> > > Ick... that's a good catch. I'll have to think about this.
> > > 
> > 
> > I think this is alright, it at least keeps the original intent of the
> > code. I don't pretend to have figured it out yet though.
> > 
> > I'll stare more at this Monday...
> > 
> > I guess the real question is does anyone still have one of these
> > cards. I don't think I do, just the proper tulips. :/
> 
> Ditto. AFAIK, I only have tulips.
> 
> Patch below looks right to me. Clobbering the skb is certainly wrong.
> 
> Acked-by: Grant Grundler <grundler@parisc-linux.org>

It looks correct to me, can we get a proper submission with
signoffs etc.?

Re: Null dereference in uli526x_rx_packet()

[Grant Grundler]

On Sat, Mar 28, 2009 at 11:59:31PM -0700, David Miller wrote:
> From: Grant Grundler <grundler@parisc-linux.org>
> Date: Sat, 28 Mar 2009 23:35:13 -0600
> 
> > On Fri, Mar 27, 2009 at 11:23:32PM -0400, Kyle McMartin wrote:
> > > On Fri, Mar 27, 2009 at 10:47:54PM -0400, Kyle McMartin wrote:
> > > > > I don't know if the right fix is to return like this patch does or to set 
> > > > > skb = rxptr->rx_skb_ptr again.
> > > > > 
> > > > 
> > > > Ick... that's a good catch. I'll have to think about this.
> > > > 
> > > 
> > > I think this is alright, it at least keeps the original intent of the
> > > code. I don't pretend to have figured it out yet though.
> > > 
> > > I'll stare more at this Monday...
> > > 
> > > I guess the real question is does anyone still have one of these
> > > cards. I don't think I do, just the proper tulips. :/
> > 
> > Ditto. AFAIK, I only have tulips.
> > 
> > Patch below looks right to me. Clobbering the skb is certainly wrong.
> > 
> > Acked-by: Grant Grundler <grundler@parisc-linux.org>
> 
> It looks correct to me, can we get a proper submission with
> signoffs etc.?

Dave,
Is that something I have to do or the original submitter?
Was the "Acked-by" appropriate for me to provide (as maintainer)?
I can resubmit with Signed-off-by if that's what is expected.

thanks,
grant

Re: Null dereference in uli526x_rx_packet()

[David Miller]

From: Grant Grundler <grundler@parisc-linux.org>
Date: Sun, 12 Apr 2009 20:45:05 -0600

> On Sat, Mar 28, 2009 at 11:59:31PM -0700, David Miller wrote:
>> From: Grant Grundler <grundler@parisc-linux.org>
>> Date: Sat, 28 Mar 2009 23:35:13 -0600
>> 
>> > On Fri, Mar 27, 2009 at 11:23:32PM -0400, Kyle McMartin wrote:
>> > > On Fri, Mar 27, 2009 at 10:47:54PM -0400, Kyle McMartin wrote:
>> > > > > I don't know if the right fix is to return like this patch does or to set 
>> > > > > skb = rxptr->rx_skb_ptr again.
>> > > > > 
>> > > > 
>> > > > Ick... that's a good catch. I'll have to think about this.
>> > > > 
>> > > 
>> > > I think this is alright, it at least keeps the original intent of the
>> > > code. I don't pretend to have figured it out yet though.
>> > > 
>> > > I'll stare more at this Monday...
>> > > 
>> > > I guess the real question is does anyone still have one of these
>> > > cards. I don't think I do, just the proper tulips. :/
>> > 
>> > Ditto. AFAIK, I only have tulips.
>> > 
>> > Patch below looks right to me. Clobbering the skb is certainly wrong.
>> > 
>> > Acked-by: Grant Grundler <grundler@parisc-linux.org>
>> 
>> It looks correct to me, can we get a proper submission with
>> signoffs etc.?
> 
> Dave,
> Is that something I have to do or the original submitter?

I would like the original submitted to do this.

> Was the "Acked-by" appropriate for me to provide (as maintainer)?

Yes, it is of course fine.

Re: Null dereference in uli526x_rx_packet()

[Grant Grundler]

On Sat, Mar 28, 2009 at 11:59:31PM -0700, David Miller wrote:
...
> > Patch below looks right to me. Clobbering the skb is certainly wrong.
> > 
> > Acked-by: Grant Grundler <grundler@parisc-linux.org>
> 
> It looks correct to me, can we get a proper submission with
> signoffs etc.?

Dave,
Looks like this patch was never resubmitted.

Kyle, can you look at http://lists.openwall.net/netdev/2009/03/27/117
and resubmit the code you had then with my "Acked-by" added please?

Or if you don't want to touch it, let me know and I'll resurrect it.

thanks,
grant

Re: Null dereference in uli526x_rx_packet()

[David Miller]

From: Grant Grundler <grundler@parisc-linux.org>
Date: Sun, 7 Feb 2010 00:15:40 -0700

> On Sat, Mar 28, 2009 at 11:59:31PM -0700, David Miller wrote:
> ...
>> > Patch below looks right to me. Clobbering the skb is certainly wrong.
>> > 
>> > Acked-by: Grant Grundler <grundler@parisc-linux.org>
>> 
>> It looks correct to me, can we get a proper submission with
>> signoffs etc.?
> 
> Dave,
> Looks like this patch was never resubmitted.
> 
> Kyle, can you look at http://lists.openwall.net/netdev/2009/03/27/117
> and resubmit the code you had then with my "Acked-by" added please?
> 
> Or if you don't want to touch it, let me know and I'll resurrect it.

I got tired of waiting for this resubmission (a month and a half) and
just applied the most recent version of the patch to net-2.6.

It looked correct to me too.

Re: Null dereference in uli526x_rx_packet()

[Grant Grundler]

On Fri, Mar 26, 2010 at 08:21:25PM -0700, David Miller wrote:
> From: Grant Grundler <grundler@parisc-linux.org>
> Date: Sun, 7 Feb 2010 00:15:40 -0700
> 
> > On Sat, Mar 28, 2009 at 11:59:31PM -0700, David Miller wrote:
> > ...
> >> > Patch below looks right to me. Clobbering the skb is certainly wrong.
> >> > 
> >> > Acked-by: Grant Grundler <grundler@parisc-linux.org>
> >> 
> >> It looks correct to me, can we get a proper submission with
> >> signoffs etc.?
> > 
> > Dave,
> > Looks like this patch was never resubmitted.
> > 
> > Kyle, can you look at http://lists.openwall.net/netdev/2009/03/27/117
> > and resubmit the code you had then with my "Acked-by" added please?
> > 
> > Or if you don't want to touch it, let me know and I'll resurrect it.
> 
> I got tired of waiting for this resubmission (a month and a half) and
> just applied the most recent version of the patch to net-2.6.
> 
> It looked correct to me too.

Thank you!
grant