Re: [2.6 patch] net/llc/llc_conn.c: fix possible NULL dereference

Re: [2.6 patch] net/llc/llc_conn.c: fix possible NULL dereference

[Herbert Xu]

Eugene Teo <eteo@redhat.com> wrote:
>
> diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
> index 3b8cfbe..28a3994 100644
> --- a/net/llc/llc_conn.c
> +++ b/net/llc/llc_conn.c
> @@ -323,7 +323,8 @@ int llc_conn_remove_acked_pdus(struct sock *sk, u8 nr, u16
> *how_many_unacked)
> 
>        if (!q_len)
>                goto out;
> -       skb = skb_peek(&llc->pdu_unack_q);
> +       if (! (skb = skb_peek(&llc->pdu_unack_q)))
> +               goto out;

Actually we just checked that the queue length is non-zero so there
must be a packet there unless someone's just removed it.  If it were
possible for someone else to remove it in parallel, then we've got
bigger problems to worry about :)

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [2.6 patch] net/llc/llc_conn.c: fix possible NULL dereference

[Eugene Teo]

[-- Attachment #1: Type: text/plain, Size: 696 bytes --]

Randy Dunlap wrote:
> On Sat, 19 May 2007 13:13:07 +0800 Eugene Teo wrote:
> 
>> skb_peek() might return an empty list. skb should be checked before calling
>> llc_pdu_sn_hdr() with it.
>>
>> Spotted by the Coverity checker.
>>
>> Signed-off-by: Eugene Teo <eteo@redhat.com>
[...]
> 
> Oh, and your patch has spaces instead of tabs.  It's a hassle to
> get thunderbird to send a patch that preserves tabs.  See if this:
>    http://mbligh.org/linuxdocs/Email/Clients/Thunderbird
> helps you any.

Here's a resend:

skb_peek() might return an empty list. skb should be checked before calling
llc_pdu_sn_hdr() with it.

Spotted by the Coverity checker.

Signed-off-by: Eugene Teo <eteo@redhat.com>

[-- Attachment #2: 2.6-llc_conn.patch --]
[-- Type: text/x-patch, Size: 403 bytes --]

diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
index 3b8cfbe..6d3a07e 100644
--- a/net/llc/llc_conn.c
+++ b/net/llc/llc_conn.c
@@ -324,6 +324,8 @@ int llc_conn_remove_acked_pdus(struct sock *sk, u8 nr, u16 *how_many_unacked)
 	if (!q_len)
 		goto out;
 	skb = skb_peek(&llc->pdu_unack_q);
+	if (!skb)
+		goto out;
 	pdu = llc_pdu_sn_hdr(skb);
 
 	/* finding position of last acked pdu in queue */

Re: [2.6 patch] net/llc/llc_conn.c: fix possible NULL dereference

[David Miller]

From: Eugene Teo <eteo@redhat.com>
Date: Sat, 19 May 2007 13:49:11 +0800

> Spotted by the Coverity checker.

Why am I not surprised :-(

There is no bug here, if Coverity warns every single time skb_peek()
is used and not tested against NULL, that's a very serious shortcoming
of Coverity or what it has been taught about SKB queues.

It needs to learn that skb_queue_len() != 0 implies skb_peek() will
not return NULL sans locking errors.