summaryrefslogtreecommitdiffstats
path: root/drivers/net/usb
diff options
context:
space:
mode:
authorOliver Neukum <oneukum@suse.com>2017-04-05 14:14:39 +0200
committerDavid S. Miller <davem@davemloft.net>2017-04-06 13:17:27 -0700
commit6c22fce07c97f765af1808ec3be007847e0b47d1 (patch)
treeb3ddd85262c049a9bb28de759acdaec30f5d2280 /drivers/net/usb
parent92f9170621a13e4ba4eda6dfb070318d5405a0cf (diff)
downloadlinux-6c22fce07c97f765af1808ec3be007847e0b47d1.tar.bz2
usbnet: make sure no NULL pointer is passed through
Coverity reports: ** CID 751368: Null pointer dereferences (FORWARD_NULL) /drivers/net/usb/usbnet.c: 1925 in __usbnet_read_cmd() ________________________________________________________________________________________________________ *** CID 751368: Null pointer dereferences (FORWARD_NULL) /drivers/net/usb/usbnet.c: 1925 in __usbnet_read_cmd() 1919 EXPORT_SYMBOL(usbnet_link_change); 1920 1921 /*-------------------------------------------------------------------------*/ 1922 static int __usbnet_read_cmd(struct usbnet *dev, u8 cmd, u8 reqtype, 1923 u16 value, u16 index, void *data, u16 size) 1924 { >>> CID 751368: Null pointer dereferences (FORWARD_NULL) >>> Assigning: "buf" = "NULL". 1925 void *buf = NULL; 1926 int err = -ENOMEM; 1927 1928 netdev_dbg(dev->net, "usbnet_read_cmd cmd=0x%02x reqtype=%02x" 1929 " value=0x%04x index=0x%04x size=%d\n", 1930 cmd, reqtype, value, index, size); ** CID 751370: Null pointer dereferences (FORWARD_NULL) /drivers/net/usb/usbnet.c: 1952 in __usbnet_write_cmd() ________________________________________________________________________________________________________ *** CID 751370: Null pointer dereferences (FORWARD_NULL) /drivers/net/usb/usbnet.c: 1952 in __usbnet_write_cmd() 1946 } 1947 1948 static int __usbnet_write_cmd(struct usbnet *dev, u8 cmd, u8 reqtype, 1949 u16 value, u16 index, const void *data, 1950 u16 size) 1951 { >>> CID 751370: Null pointer dereferences (FORWARD_NULL) >>> Assigning: "buf" = "NULL". 1952 void *buf = NULL; 1953 int err = -ENOMEM; 1954 1955 netdev_dbg(dev->net, "usbnet_write_cmd cmd=0x%02x reqtype=%02x" 1956 " value=0x%04x index=0x%04x size=%d\n", 1957 cmd, reqtype, value, index, size); ** CID 1325026: Null pointer dereferences (FORWARD_NULL) /drivers/net/usb/ch9200.c: 143 in control_write() It is valid to offer commands without a buffer, but then you need a size of zero. This should actually be checked. Signed-off-by: Oliver Neukum <oneukum@suse.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net/usb')
-rw-r--r--drivers/net/usb/usbnet.c19
1 files changed, 15 insertions, 4 deletions
diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index 3de65ea6531a..453244805c52 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1929,7 +1929,7 @@ static int __usbnet_read_cmd(struct usbnet *dev, u8 cmd, u8 reqtype,
" value=0x%04x index=0x%04x size=%d\n",
cmd, reqtype, value, index, size);
- if (data) {
+ if (size) {
buf = kmalloc(size, GFP_KERNEL);
if (!buf)
goto out;
@@ -1938,8 +1938,13 @@ static int __usbnet_read_cmd(struct usbnet *dev, u8 cmd, u8 reqtype,
err = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
cmd, reqtype, value, index, buf, size,
USB_CTRL_GET_TIMEOUT);
- if (err > 0 && err <= size)
- memcpy(data, buf, err);
+ if (err > 0 && err <= size) {
+ if (data)
+ memcpy(data, buf, err);
+ else
+ netdev_dbg(dev->net,
+ "Huh? Data requested but thrown away.\n");
+ }
kfree(buf);
out:
return err;
@@ -1960,7 +1965,13 @@ static int __usbnet_write_cmd(struct usbnet *dev, u8 cmd, u8 reqtype,
buf = kmemdup(data, size, GFP_KERNEL);
if (!buf)
goto out;
- }
+ } else {
+ if (size) {
+ WARN_ON_ONCE(1);
+ err = -EINVAL;
+ goto out;
+ }
+ }
err = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
cmd, reqtype, value, index, buf, size,