In rtl8xxxu_load_firmware() check the return value of kmemdup() and
error out with -ENOMEM in case of NULL to prevent a NULL pointer
dereference.
Signed-off-by: Tobias Klauser <[email protected]>
---
drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c
index 7d820c395375..59f70513c491 100644
--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c
@@ -2174,6 +2174,10 @@ static int rtl8xxxu_load_firmware(struct rtl8xxxu_priv *priv, char *fw_name)
}
priv->fw_data = kmemdup(fw->data, fw->size, GFP_KERNEL);
+ if (!priv->fw_data) {
+ ret = -ENOMEM;
+ goto exit;
+ }
priv->fw_size = fw->size - sizeof(struct rtl8xxxu_firmware_header);
signature = le16_to_cpu(priv->fw_data->signature);
--
2.7.0.1.g5e091f5
Tobias Klauser <[email protected]> writes:
> In rtl8xxxu_load_firmware() check the return value of kmemdup() and
> error out with -ENOMEM in case of NULL to prevent a NULL pointer
> dereference.
>
> Signed-off-by: Tobias Klauser <[email protected]>
> ---
> drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c | 4 ++++
> 1 file changed, 4 insertions(+)
Thanks, I'll add it to my queue!
Jes
>
> diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c
> index 7d820c395375..59f70513c491 100644
> --- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c
> +++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c
> @@ -2174,6 +2174,10 @@ static int rtl8xxxu_load_firmware(struct rtl8xxxu_priv *priv, char *fw_name)
> }
>
> priv->fw_data = kmemdup(fw->data, fw->size, GFP_KERNEL);
> + if (!priv->fw_data) {
> + ret = -ENOMEM;
> + goto exit;
> + }
> priv->fw_size = fw->size - sizeof(struct rtl8xxxu_firmware_header);
>
> signature = le16_to_cpu(priv->fw_data->signature);