2021-08-10 14:21:50

by Tuo Li

[permalink] [raw]
Subject: [BUG] ipw2x00: possible null-pointer dereference in libipw_wx_set_encode()


Our static analysis tool finds a possible null-pointer dereference in
the ipw2x00 driver in Linux 5.14.0-rc3:

The variable (*crypt)->ops is checked in:
360:    if (*crypt != NULL && (*crypt)->ops != NULL &&
strcmp((*crypt)->ops->name, "WEP") != 0)

This indicates that (*crypt)->ops can be NULL. If so, some possible
null-pointer dereferences will occur:
407:    (*crypt)->ops->set_key(sec.keys[key], len, NULL, (*crypt)->priv);
417:    len = (*crypt)->ops->get_key(sec.keys[key], WEP_KEY_LEN, ...)

I am not quite sure whether these possible null-pointer dereferences are
real and how to fix them if they are real.
Any feedback would be appreciated, thanks!

Reported-by: TOTE Robot <[email protected]>

Best wishes,
Tuo Li