lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <100d06e2398742bb82bd5300ce70d900@realtek.com>
Date:   Fri, 24 Dec 2021 00:28:33 +0000
From:   Pkshih <pkshih@...ltek.com>
To:     Muhammad Usama Anjum <usama.anjum@...labora.com>,
        Yan-Hsuan Chuang <tony0620emma@...il.com>,
        Kalle Valo <kvalo@...nel.org>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Bernie Huang <phhuang@...ltek.com>,
        "open list:REALTEK WIRELESS DRIVER (rtw88)" 
        <linux-wireless@...r.kernel.org>,
        "open list:NETWORKING DRIVERS" <netdev@...r.kernel.org>,
        open list <linux-kernel@...r.kernel.org>
CC:     "kernel@...labora.com" <kernel@...labora.com>
Subject: RE: [PATCH] rtw88: check for validity before using pointer



> -----Original Message-----
> From: Muhammad Usama Anjum <usama.anjum@...labora.com>
> Sent: Friday, December 24, 2021 1:51 AM
> To: Yan-Hsuan Chuang <tony0620emma@...il.com>; Kalle Valo <kvalo@...nel.org>; David S. Miller
> <davem@...emloft.net>; Jakub Kicinski <kuba@...nel.org>; Pkshih <pkshih@...ltek.com>; Bernie Huang
> <phhuang@...ltek.com>; open list:REALTEK WIRELESS DRIVER (rtw88) <linux-wireless@...r.kernel.org>; open
> list:NETWORKING DRIVERS <netdev@...r.kernel.org>; open list <linux-kernel@...r.kernel.org>
> Cc: usama.anjum@...labora.com; kernel@...labora.com
> Subject: [PATCH] rtw88: check for validity before using pointer
> 
> ieee80211_probereq_get() can return NULL. Pointer skb should be checked
> for validty before use.
> 
> Fixes: 10d162b2ed39 ("rtw88: 8822c: add ieee80211_ops::hw_scan")
> Signed-off-by: Muhammad Usama Anjum <usama.anjum@...labora.com>
> ---
>  drivers/net/wireless/realtek/rtw88/fw.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/net/wireless/realtek/rtw88/fw.c b/drivers/net/wireless/realtek/rtw88/fw.c
> index 2f7c036f9022..0fc05a810d05 100644
> --- a/drivers/net/wireless/realtek/rtw88/fw.c
> +++ b/drivers/net/wireless/realtek/rtw88/fw.c
> @@ -1866,6 +1866,8 @@ static int rtw_hw_scan_update_probe_req(struct rtw_dev *rtwdev,
>  					     req->ssids[i].ssid,
>  					     req->ssids[i].ssid_len,
>  					     req->ie_len);
> +		if (!skb)
> +			return -ENOMEM;
>  		rtw_append_probe_req_ie(rtwdev, skb, &list, rtwvif);
>  		kfree_skb(skb);
>  	}

Without properly freeing skb(s) in list, it leads memory leak.
We need something below to free them:

	if (!skb)
		goto out;

	[...]

out:
	skb_queue_walk(&list, skb)
		kfree_skb(skb);

	return -ENOMEM;

So, NACK this patch.

--
Ping-Ke

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ