lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:	Wed, 7 Feb 2007 10:30:17 -0800 (PST)
From:	Levitsky Maxim <maximlevitsky@...oo.com>
To:	linux-kernel@...r.kernel.org
Cc:	tori@...appy.mine.nu, netdev@...r.kernel.org
Subject: [PATCH] [NETDEV] [002] dmfe : Fix possible oops

From: Maxim Levitsky <maximlevitsky@...oo.com>
Subject: [PATCH] [NET] [002] dmfe : Fix possible oops

Deallocate memory after driver is unregistred to prevent oops
Don't dereference NULL pointer that can be returned by dev_alloc_skb in case of oom

Signed-off-by: Maxim Levitsky <maximlevitsky@...oo.com>

---

--- linux-2.6.20-mod/drivers/net/tulip/dmfe.c   2007-02-07 18:27:07.000000000 +0200
+++ linux-2.6.20-test/drivers/net/tulip/dmfe.c  2007-02-07 18:27:59.000000000 +0200
@@ -497,13 +497,16 @@ static void __devexit dmfe_remove_one (s
        DMFE_DBUG(0, "dmfe_remove_one()", 0);
 
        if (dev) {
+               
+               unregister_netdev(dev);
+               pci_release_regions(pdev);
+               
+               
                pci_free_consistent(db->pdev, sizeof(struct tx_desc) *
                                        DESC_ALL_CNT + 0x20, db->desc_pool_ptr,
                                        db->desc_pool_dma_ptr);
                pci_free_consistent(db->pdev, TX_BUF_ALLOC * TX_DESC_CNT + 4,
                                        db->buf_pool_ptr, db->buf_pool_dma_ptr);
-               unregister_netdev(dev);
-               pci_release_regions(pdev);
                free_netdev(dev);       /* free board information */
                pci_set_drvdata(pdev, NULL);
        }
@@ -921,7 +924,7 @@ static inline u32 cal_CRC(unsigned char 
 static void dmfe_rx_packet(struct DEVICE *dev, struct dmfe_board_info * db)
 {
        struct rx_desc *rxptr;
-       struct sk_buff *skb;
+       struct sk_buff *skb, *newskb;
        int rxlen;
        u32 rdes0;
 
@@ -974,8 +977,10 @@ static void dmfe_rx_packet(struct DEVICE
                                        /* Good packet, send to upper layer */
                                        /* Shorst packet used new SKB */
                                        if ( (rxlen < RX_COPY_SIZE) &&
-                                               ( (skb = dev_alloc_skb(rxlen + 2) )
+                                               ( (newskb = dev_alloc_skb(rxlen + 2) )
                                                != NULL) ) {
+                                               
+                                               skb = newskb;
                                                /* size less than COPY_SIZE, allocate a rxlen SKB
*/
                                                skb->dev = dev;
                                                skb_reserve(skb, 2); /* 16byte align */



 
____________________________________________________________________________________
8:00? 8:25? 8:40? Find a flick in no time 
with the Yahoo! Search movie showtime shortcut.
http://tools.search.yahoo.com/shortcuts/#news
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists