Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp11900853ybi; Fri, 26 Jul 2019 01:29:14 -0700 (PDT) X-Google-Smtp-Source: APXvYqzLgGs2RJ7B26q9LuvUxrqS2FuMWPnIaoKB8teI+L8vtwoB5dk6vYVwXBHM3Z3XQh4KBywI X-Received: by 2002:aa7:8e18:: with SMTP id c24mr21148750pfr.24.1564129753920; Fri, 26 Jul 2019 01:29:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564129753; cv=none; d=google.com; s=arc-20160816; b=EFjJSuFlnqftzD18Jr2LT144GKxCQd4xogFVIpvdM2VTDvTCGzf17RBF3EOVtwNd4c /+0pcplOa36iv3NOIab9DooWyeLiwEvT0CklJTzkDue4B/mnpVVNhZPUaF+DBaGQS42G QK7WCt8iZJ6GNzGZzcYlLbvGUqNwrIrgitHKda8y86yAdUv8a6voDOb5Jo/oOWHCup2V 7kmtV7d1tSpCm3Luv0oCzyO4UdpERJQXcoazIF7gukbw3R+cN2LTOnAI5EC7DvruuEBP yqn7B+XlbWshohRhh3t2Jv5IruJJXL4v3XGXVGNm+KnfDi9HuqR2ZXFbZzmeIE3lrHlN FKMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=p4Px+/RWZA6I9d5yNI1VqxqhPCr3ngVGjSAsIYaY3SU=; b=Cj0Qa9pLtFLqRkUrux/DdL02QK6npGTdzj5szUC+zVgdXbNmIKNw7OQ9973rS5J/Lx +czH5B32u65pmAQ5IcRQx9e2QAG8FGCAQLH0Q+oUvpbBL9mB7Li1GU7pm85wwcM9G5U1 ssUbyQKUN2n5/n0RFNqEJJH1viiNBKBRw9rR0ZhYljl0yjYoy2tYLA7lFb/yhnNfAxxl 2DIvBKaf8sH+vqSqZeRBYN1erWZ2PnPSpfjw9bhgDVzMR1EPDvlrV8Ka+PGWAp27MKPb 7FG1UTCZzo3HzoZJaizX0Mef0jEvTEdIMuURy/PNLKQd7lVvAc0ExpJd3FahanldZUXY 6cpg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=BX9UmhsV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a190si20700797pgc.25.2019.07.26.01.28.59; Fri, 26 Jul 2019 01:29:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=BX9UmhsV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726435AbfGZI1x (ORCPT + 99 others); Fri, 26 Jul 2019 04:27:53 -0400 Received: from mail-pf1-f195.google.com ([209.85.210.195]:44147 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725815AbfGZI1x (ORCPT ); Fri, 26 Jul 2019 04:27:53 -0400 Received: by mail-pf1-f195.google.com with SMTP id t16so24124529pfe.11; Fri, 26 Jul 2019 01:27:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=p4Px+/RWZA6I9d5yNI1VqxqhPCr3ngVGjSAsIYaY3SU=; b=BX9UmhsVaWqyOnwAoxQfJt8JV/q6tyF/jJtjuRZOC6V9eIpnfoXyB0pbjjSPV6zS6x FhMBwXASqWl0ImHXD9MOiT8UV+Gwf9aLwO6I4R/JkRc0lHgtOxAh6oQ+owy7xjHud9Jm MmjExFqt1MPo3jhJQ4y8kADD6EJWv2KcCxtCRTkr3GQtKunJJ72FpdQn5BH2uApKWcq9 P2H0T7/Dt6a/5UoxT9nJAdy6ElesUxvINdBRwmSDIdGCreb7ZJALcXH8Yl5inRXm1kv/ eFkT+bWgaSD2P2DVGoigaLBMKpqMY9ExXlkiGZQPaJmVfuS+LxTi2SWsaj+P4Hccn/Oh oqeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=p4Px+/RWZA6I9d5yNI1VqxqhPCr3ngVGjSAsIYaY3SU=; b=eyxQLg5hTTFBSP2Z0Bivzem50V1Xp/uV5cQYt8yyd9lnBvUfIKm1jurfvNNq0DyNWo WslF2o825YqboxvuxjW2DBWcuXzmJU0J3oC31645e33UhWrIkV9WzftkwxwGNlf0xPSk vTRvBx8N967HdXGVcPtMizur3AwGZNr9jqXoyJvuErtGk3et0RmnzplvqJbqh6lxK6Q6 Hg2JlXtZnMVyBtJ6/vd7PIKcJhtVImckHpAfqwQTxJtCPShwnHOF+pXF+uDCQDnVcone WZ9zvayDYchHNeHkSFrbZ2dHsMMCyIsrI4Lm9XOuZKPjIxl7X8spaQcmD90BFBq2XEje 8eqQ== X-Gm-Message-State: APjAAAWbHwB1HoLkgfDDUqSmICkWYMp4gr3lZwjwmwh/ZJJ0ux3itYNa hoqEqF2IqHHYi+aKLXLm24E= X-Received: by 2002:a62:3895:: with SMTP id f143mr20775849pfa.116.1564129672394; Fri, 26 Jul 2019 01:27:52 -0700 (PDT) Received: from oslab.tsinghua.edu.cn ([2402:f000:4:72:808::3ca]) by smtp.gmail.com with ESMTPSA id o24sm8237244pgn.93.2019.07.26.01.27.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 26 Jul 2019 01:27:51 -0700 (PDT) From: Jia-Ju Bai To: isdn@linux-pingi.de, davem@davemloft.net, pakki001@umn.edu, tranmanphong@gmail.com, gregkh@linuxfoundation.org, rfontana@redhat.com, gustavo@embeddedor.com, tglx@linutronix.de Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Jia-Ju Bai Subject: [PATCH] isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in start_isoc_chain() Date: Fri, 26 Jul 2019 16:27:36 +0800 Message-Id: <20190726082736.8195-1-baijiaju1990@gmail.com> X-Mailer: git-send-email 2.17.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In start_isoc_chain(), usb_alloc_urb() on line 1392 may fail and return NULL. At this time, fifo->iso[i].urb is assigned to NULL. Then, fifo->iso[i].urb is used at some places, such as: LINE 1405: fill_isoc_urb(fifo->iso[i].urb, ...) urb->number_of_packets = num_packets; urb->transfer_flags = URB_ISO_ASAP; urb->actual_length = 0; urb->interval = interval; LINE 1416: fifo->iso[i].urb->... LINE 1419: fifo->iso[i].urb->... Thus, possible null-pointer dereferences may occur. To fix these bugs, "continue" is added to avoid using fifo->iso[i].urb when it is NULL. These bugs are found by a static analysis tool STCheck written by us. Signed-off-by: Jia-Ju Bai --- drivers/isdn/hardware/mISDN/hfcsusb.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c index 0e224232f746..8fb7c5dea07f 100644 --- a/drivers/isdn/hardware/mISDN/hfcsusb.c +++ b/drivers/isdn/hardware/mISDN/hfcsusb.c @@ -1394,6 +1394,7 @@ start_isoc_chain(struct usb_fifo *fifo, int num_packets_per_urb, printk(KERN_DEBUG "%s: %s: alloc urb for fifo %i failed", hw->name, __func__, fifo->fifonum); + continue; } fifo->iso[i].owner_fifo = (struct usb_fifo *) fifo; fifo->iso[i].indx = i; -- 2.17.0