Message ID | 20230814095041.16416-1-dmantipov@yandex.ru |
---|---|
State | New |
Headers | show |
Series | [v2] wifi: mwifiex: avoid possible NULL skb pointer dereference | expand |
Dmitry Antipov <dmantipov@yandex.ru> wrote: > In 'mwifiex_handle_uap_rx_forward()', always check the value > returned by 'skb_copy()' to avoid potential NULL pointer > dereference in 'mwifiex_uap_queue_bridged_pkt()', and drop > original skb in case of copying failure. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: 838e4f449297 ("mwifiex: improve uAP RX handling") > Acked-by: Brian Norris <briannorris@chromium.org> > Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> Patch applied to wireless-next.git, thanks. 35a7a1ce7c7d wifi: mwifiex: avoid possible NULL skb pointer dereference
diff --git a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c index 04ff051f5d18..a8a9986102a2 100644 --- a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c +++ b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c @@ -252,7 +252,15 @@ int mwifiex_handle_uap_rx_forward(struct mwifiex_private *priv, if (is_multicast_ether_addr(ra)) { skb_uap = skb_copy(skb, GFP_ATOMIC); - mwifiex_uap_queue_bridged_pkt(priv, skb_uap); + if (likely(skb_uap)) { + mwifiex_uap_queue_bridged_pkt(priv, skb_uap); + } else { + mwifiex_dbg(adapter, ERROR, + "failed to copy skb for uAP\n"); + priv->stats.rx_dropped++; + dev_kfree_skb_any(skb); + return -1; + } } else { if (mwifiex_get_sta_entry(priv, ra)) { /* Requeue Intra-BSS packet */