Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp127271pxv;
        Fri, 30 Jul 2021 21:14:31 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwyKVZkwp90Nk69si77xbnBJxRK6kNQ23B+rxEGChLCrF/RZJv634kXQ8r2K2ZTc/CkEW2c
X-Received: by 2002:a05:6e02:d93:: with SMTP id i19mr4038902ilj.72.1627704871371;
        Fri, 30 Jul 2021 21:14:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1627704871; cv=none;
        d=google.com; s=arc-20160816;
        b=YLeItW00t+tspDGmEfMQo2/EtrOHPjpXMEJvchVkjStH+fc0x2nZaCYuX/yacb3yr7
         Zf4tihcFJ8OXsc6z6/fz8DpEkVcoU3hpEDQH+j25fbvHW1JR8sHcdEjbv5yXgNYyk1sK
         cIS2RSiZz0hzaUKB9uIQ3xCgLJpnbosiCIPTNAU4jn29lpy/UBotE3mzL0dcZWWvn+ce
         0LaUtnyHE/gGHHXfS0mLYpTcYlM2VXhLlw2USKkRe5PvwnhejKIvF50VutSxoyUXsrsi
         CtSZE6Ib3rblS7lNDEHsi1Tmbepl15hmDkzF3zgxXwUl9TFKrxTiXP2nQR8qqRuk437y
         lC8g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-language:content-transfer-encoding
         :mime-version:user-agent:date:message-id:subject:from:cc:to
         :dkim-signature;
        bh=1GinwmTZ6p1ZyLvkmIYCrplYFGZWc23PDJonSjEXc+Y=;
        b=G6vPeS7PyFP8pJ5/aNuFZqNR4SXykLq2Sxy9BaQTto8KwL/DSWfRpJNtaj3kHG4Mk0
         EIBwj2e/LDXlVsp7AtEQCAGCaYtaoDx1oRpdZIRkVVLP6Fp22gK8+7NkdhHzNVio5Q4L
         u/QaS4e2iBmNBvp1LOU+LpWz25w+6fKg5bOffbQXLpbIx9C1jDGAtDeJG7eProiSb4qx
         pucKWQDtXkDnGXi1Jwq7gsQEtF9JaXCTPA9X5v4ds8llGCRVBclbv+iooloD5si5TQeP
         yvzrvsNosBl8qrdOedWABDzgmrS7LQmnk3NRTxsZdlREvcjVkdvnJxKCB07eGeeOhINE
         qu8A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=lrTUsK1a;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id n13si4195124ioj.25.2021.07.30.21.14.05;
        Fri, 30 Jul 2021 21:14:31 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=lrTUsK1a;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229475AbhGaENz (ORCPT <rfc822;jeenmathew26@gmail.com>
        + 99 others); Sat, 31 Jul 2021 00:13:55 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46752 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229448AbhGaENz (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Sat, 31 Jul 2021 00:13:55 -0400
Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9097DC06175F;
        Fri, 30 Jul 2021 21:13:48 -0700 (PDT)
Received: by mail-pl1-x62f.google.com with SMTP id t3so11286992plg.9;
        Fri, 30 Jul 2021 21:13:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=to:cc:from:subject:message-id:date:user-agent:mime-version
         :content-transfer-encoding:content-language;
        bh=1GinwmTZ6p1ZyLvkmIYCrplYFGZWc23PDJonSjEXc+Y=;
        b=lrTUsK1a4TAXLwOJbnjXVYINibE0UkQouroDryetct3Mx6Wrpl0JRuMz6LHJ80bfmE
         UUEXCWQP3cHOzCRz7BaPbuRf9HsDYGcBEB/bBmHh1Frcy5WhmETxhFrfC9cpFcyWcajn
         eQ3KY8jmqR1sdYO+ZQ7LyxYf6TQK9vfx3tZHDwGTBN+fntqW+NPVvDeZQ428UDu+A5hW
         ZBfgcNKoazGstkNeS8IBuSEAQZ0UlfXH1UaYbBFKK0GLGQj1xGyEOZDkw6t+BK6ly/Fa
         IH5ccS4ypNzEKPwWm13t2y/FFKJBS3Hfp2g9Wg2PPN7SsubwRoV8Ou13Pott0IzlpGP3
         LcCg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:to:cc:from:subject:message-id:date:user-agent
         :mime-version:content-transfer-encoding:content-language;
        bh=1GinwmTZ6p1ZyLvkmIYCrplYFGZWc23PDJonSjEXc+Y=;
        b=EalSlwqTAr5m3iv7RHPorDFxzGhp8nmlglQoElSWnKfviBg0N4iXw6IyxNWtNVyq6m
         DdCRFXfi/wZaGfhf/RsMssCIpV7/QVsIW0sW1icJx18S5AVj1ozC/m192ZN5tIUJT90n
         fsl1IrZ56/g+wVv5KRtAu8g4jdzWRYoCbBF+UExhw7lNzU70Kt0j9iG7I2h2rjV6dX+O
         Y5PBDr5gqATKUZF2xYxfdt/AHX0iS9onAnVDb7lnyYpPP+cAxaL0+aakhElonvjlNKut
         dchbbSq93ENY9MDAUOt9IfWG4RL7nrB9397YKobJeJAPzf7avFYWAeZMelq7U4grkWjm
         CKUg==
X-Gm-Message-State: AOAM532ujBQ6ZB6j87ipLBlKiC+A+QCRtvxK8+Z8HRaASqXD5CJ6HZRM
        er+Kz0wCMvnHtxLZTwhgEIQ=
X-Received: by 2002:a17:902:f68d:b029:12c:4619:c63a with SMTP id l13-20020a170902f68db029012c4619c63amr4724967plg.66.1627704828165;
        Fri, 30 Jul 2021 21:13:48 -0700 (PDT)
Received: from [10.106.0.50] ([45.135.186.29])
        by smtp.gmail.com with ESMTPSA id s5sm3976860pfk.114.2021.07.30.21.13.45
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Fri, 30 Jul 2021 21:13:47 -0700 (PDT)
To:     amitkarwar@gmail.com, ganapathi017@gmail.com,
        sharvari.harisangam@nxp.com, huxinming820@gmail.com,
        kvalo@codeaurora.org, davem@davemloft.net, kuba@kernel.org
Cc:     linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, baijiaju1990@gmail.com
From:   Li Tuo <islituo@gmail.com>
Subject: [BUG] mwifiex: possible null-pointer dereference in
 mwifiex_dnld_cmd_to_fw()
Message-ID: <968036b8-df27-3f22-074b-3aeed7c7bbf2@gmail.com>
Date:   Sat, 31 Jul 2021 12:13:46 +0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
 Thunderbird/78.12.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

Hello,

Our static analysis tool finds a possible null-pointer dereference in 
the mwifiex driver in Linux 5.14.0-rc3:

The variable cmd_node->cmd_skb->data is assigned to the variable 
host_cmd, and host_cmd is checked in:
190:    if (host_cmd == NULL || host_cmd->size == 0)

This indicates that host_cmd can be NULL.
If so, the function mwifiex_recycle_cmd_node() will be called with the 
argument cmd_node:
196:    mwifiex_recycle_cmd_node(adapter, cmd_node);

In this called function, the variable cmd_node->cmd_skb->data is 
assigned to the variable host_cmd, too.
Thus the variable host_cmd in the function mwifiex_recycle_cmd_node() 
can be also NULL.
However, it is dereferenced when calling le16_to_cpu():
144:    le16_to_cpu(host_cmd->command)

I am not quite sure whether this possible null-pointer dereference is 
real and how to fix it if it is real.
Any feedback would be appreciated, thanks!

Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>

Best wishes,
Tuo Li