lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 13 Feb 2011 22:15:35 +0100 (CET)
From:	Jesper Juhl <jj@...osbits.net>
To:	linux-kernel@...r.kernel.org
cc:	linux-usb@...r.kernel.org, netdev@...r.kernel.org,
	Greg Kroah-Hartman <gregkh@...e.de>,
	Jan Dumon <j.dumon@...ion.com>, Filip Aben <f.aben@...ion.com>,
	Denis Joseph Barrow <d.barow@...ion.com>,
	Andrew Bird <ajb@...eresystems.co.uk>
Subject: [PATCH] Net, USB, Option, hso: Do not dereference NULL pointer

In drivers/net/usb/hso.c::hso_create_bulk_serial_device() we have this 
code:
...
	serial = kzalloc(sizeof(*serial), GFP_KERNEL);
	if (!serial)
		goto exit;
...
exit:
	hso_free_tiomget(serial);
...
hso_free_tiomget() directly dereferences its argument, which in the 
example above is a NULL pointer, ouch.
I could just add a 'if (serial)' test at the 'exit' label, but since most 
freeing functions in the kernel accept NULL pointers (and it seems like 
this was also assumed here) I opted to instead change 'hso_free_tiomget()' 
so that it is safe to call it with a NULL argument. I also modified the 
function to get rid of a pointles conditional before the call to 
'usb_free_urb()' since that function already tests for NULL itself - 
besides fixing the NULL deref this change also buys us a few bytes in 
size.
Before:
$ size drivers/net/usb/hso.o
   text    data     bss     dec     hex filename
  32200     592    9960   42752    a700 drivers/net/usb/hso.o
After:
$ size drivers/net/usb/hso.o
   text    data     bss     dec     hex filename
  32196     592    9960   42748    a6fc drivers/net/usb/hso.o

Signed-off-by: Jesper Juhl <jj@...osbits.net>
---
 hso.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index bed8fce..6d83812 100644
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -2628,15 +2628,15 @@ exit:
 
 static void hso_free_tiomget(struct hso_serial *serial)
 {
-	struct hso_tiocmget *tiocmget = serial->tiocmget;
+	struct hso_tiocmget *tiocmget;
+	if (!serial)
+		return;
+	tiocmget = serial->tiocmget;
 	if (tiocmget) {
-		if (tiocmget->urb) {
-			usb_free_urb(tiocmget->urb);
-			tiocmget->urb = NULL;
-		}
+		usb_free_urb(tiocmget->urb);
+		tiocmget->urb = NULL;
 		serial->tiocmget = NULL;
 		kfree(tiocmget);
-
 	}
 }
 


-- 
Jesper Juhl <jj@...osbits.net>            http://www.chaosbits.net/
Plain text mails only, please.
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ