2006-05-20 19:22:33

by Florin Malita

Subject: [PATCH] orinoco: possible null pointer dereference in orinoco_rx_monitor()

If the skb allocation fails, the current error path calls
dev_kfree_skb_irq() with a NULL argument. Also, 'err' is not being used.

Coverity CID: 275.

Signed-off-by: Florin Malita <[email protected]>
---

diff --git a/drivers/net/wireless/orinoco.c b/drivers/net/wireless/orinoco.c
index 06523e2..c2d0b09 100644
--- a/drivers/net/wireless/orinoco.c
+++ b/drivers/net/wireless/orinoco.c
@@ -812,7 +812,6 @@ static void orinoco_rx_monitor(struct ne
if (datalen > IEEE80211_DATA_LEN + 12) {
printk(KERN_DEBUG "%s: oversized monitor frame, "
"data length = %d\n", dev->name, datalen);
- err = -EIO;
stats->rx_length_errors++;
goto update_stats;
}
@@ -821,8 +820,7 @@ static void orinoco_rx_monitor(struct ne
if (!skb) {
printk(KERN_WARNING "%s: Cannot allocate skb for monitor frame\n",
dev->name);
- err = -ENOMEM;
- goto drop;
+ goto update_stats;
}

/* Copy the 802.11 header to the skb */