Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3133094ybi; Mon, 29 Jul 2019 01:27:43 -0700 (PDT) X-Google-Smtp-Source: APXvYqzJQMPstARj8f3s6fb9pVAbpBjSD1lRpv+6eBLmenuR5oGTxU/n2Ry/LN6AqysTXRZax19u X-Received: by 2002:a65:6152:: with SMTP id o18mr99484249pgv.279.1564388863079; Mon, 29 Jul 2019 01:27:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564388863; cv=none; d=google.com; s=arc-20160816; b=Qjm/kAR5MKrYdsJDguPThd60EiJsK+NXFq5nCSVmFskVis/dVVgvIOemv9WlEAH3B+ txXB4xi9AM+cZLF9nftTGMLRtvfNO9kaOIek/ehy20Us4TLEGZObIiNwwN8VRbWl8g+P 2wj2WFvTqxcnneoY9q/8brDGScBnUgtTjO2q/grjjU3Ip64872yPegIqymM/3yTOQter jE671uM+Q9IMZ8rUj2ZR6z1Bmxu2LEVJAVx8a7blAY4y6DxSrndH+9ZIHy6ArCCSGeWU Pm89hE6DjuZRHKBa/eyKG08SutsyEdW2Y6iTrNdnuRLEnvTifkhXAtKhCDsT/d+RR5gI 37GQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=px4UPlf0dAssmmR/aVHt6FhvemexiyDz/1qhQq2NUko=; b=R8OaRh9Kc8i8orCma3fGhZSRRiOlHrQsuSe/zDbmarBBGR+BYRKN+srsorP4fWfuXq IbaElkkjFKdPq2y2JLDa8AquhxcI9B301hJgJW6zZLzIcaeBDlB021CuRGJKWdhJnsNn HfjG/XGcPz4JwOfQw63ZFWjwktGRGOn8ti6Jt/x5/pbyNIH6LIuA2UgFGT0kJjFQQLoN BCAbYUpPNAwt2kevhKrQ2LLOBhlfSfAx1JGWm36H488ymMU+Io+FU3r+6AJpyjfOjbIp 2d4nHZZuxzZPZLPp/O3KM1KGXcCp5WvT6C75nFsWxV1fgC7aZnXxOovnwWthBulUrdz6 Y7ag== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ONbOeXSm; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v1si22912591plb.381.2019.07.29.01.27.28; Mon, 29 Jul 2019 01:27:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ONbOeXSm; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726939AbfG2IXj (ORCPT + 99 others); Mon, 29 Jul 2019 04:23:39 -0400 Received: from mail-pl1-f194.google.com ([209.85.214.194]:46253 "EHLO mail-pl1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726305AbfG2IXj (ORCPT ); Mon, 29 Jul 2019 04:23:39 -0400 Received: by mail-pl1-f194.google.com with SMTP id c2so27185012plz.13; Mon, 29 Jul 2019 01:23:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=px4UPlf0dAssmmR/aVHt6FhvemexiyDz/1qhQq2NUko=; b=ONbOeXSmBYXhAmPzT9WtjuC9mlCj/p1+djw0YyAE2aYD4rh1JfRiBZ4PC1G86lbcTU lGY9O270uWbF+5G11ST2jnjdxYFNR1ndEhglFejjFTxEipn6CaYEhmyLGwwfgkP5HPup oazngm8PlyM3KuwTXYhf2hWfHezsIhgRqM7HgqVRm+t2aKsOCNgqnCNrw8KHPJPXOzhF LCx885R0hZmk55jpRmzQE69ENjT4o9p1HL3jkA59VB4PMKVl80Em59LpCuxdpMVZqb8K +CezBpo4j3cdStmCqHbf4aqiz4HqKygnXNntizZCqgamf6o0XUCsJ/WQH9hJ0KV4novq mRlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=px4UPlf0dAssmmR/aVHt6FhvemexiyDz/1qhQq2NUko=; b=SrqzU7Ojx+ID+Qmwk5hDo/QkNpGkHN7F5oH22HV4JudKGGYi3EUMyjJs20xrdNNNUc QVbt6v/cDhis2Cg5ESkhiX3v0mzzh26CUSdgLx1/WlI43ojg0WkULpn3JmiiGLS0d4DL bmeq+6pBbVw0wl/Eza0l/OhnZbRc6T/HSwmmWjjsGMiG3or90jZ5kQ/XcOx++sOzIXuy Z8XHgYE+gMXfUMi9OfEOO6WfvyCRcaWD25wi7TE1ps+eRwaXh3/pVju5bMeGHqC89KMr vBxKyXog1mcLjrr2Wd/krDJlKMtVNNlNXLXpLngZ5Ys0qoafu+UYtZQTSX31/qoYSZsx ioKg== X-Gm-Message-State: APjAAAW0sRNznw525r7TkdW4mZMicRFzvWSZf4kKxqdldAlrVCJo/zRe VAPk80LsSTpH4WvG+2+5sR8= X-Received: by 2002:a17:902:4501:: with SMTP id m1mr109309896pld.111.1564388618785; Mon, 29 Jul 2019 01:23:38 -0700 (PDT) Received: from oslab.tsinghua.edu.cn ([2402:f000:4:72:808::3ca]) by smtp.gmail.com with ESMTPSA id c70sm5905731pfb.36.2019.07.29.01.23.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 29 Jul 2019 01:23:38 -0700 (PDT) From: Jia-Ju Bai To: johannes@sipsolutions.net, kvalo@codeaurora.org, davem@davemloft.net Cc: linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Jia-Ju Bai Subject: [PATCH] mac80211_hwsim: Fix possible null-pointer dereferences in hwsim_dump_radio_nl() Date: Mon, 29 Jul 2019 16:23:32 +0800 Message-Id: <20190729082332.28895-1-baijiaju1990@gmail.com> X-Mailer: git-send-email 2.17.0 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org In hwsim_dump_radio_nl(), when genlmsg_put() on line 3617 fails, hdr is assigned to NULL. Then hdr is used on lines 3622 and 3623: genl_dump_check_consistent(cb, hdr); genlmsg_end(skb, hdr); Thus, possible null-pointer dereferences may occur. To fix these bugs, hdr is used here when it is not NULL. This bug is found by a static analysis tool STCheck written by us. Signed-off-by: Jia-Ju Bai --- drivers/net/wireless/mac80211_hwsim.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c index 519b4ee88c5c..61a8b6429e09 100644 --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -3617,10 +3617,11 @@ static int hwsim_dump_radio_nl(struct sk_buff *skb, hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq, &hwsim_genl_family, NLM_F_MULTI, HWSIM_CMD_GET_RADIO); - if (!hdr) + if (hdr) { + genl_dump_check_consistent(cb, hdr); + genlmsg_end(skb, hdr); + } else res = -EMSGSIZE; - genl_dump_check_consistent(cb, hdr); - genlmsg_end(skb, hdr); } done: -- 2.17.0