Patchwork 3c515: Write outside array bounds

login
register
mail settings
Submitter roel kluin
Date July 25, 2009, 10:35 p.m.
Message ID <4A6B88B1.9000907@gmail.com>
Download mbox | patch
Permalink /patch/30231/
State Changes Requested
Delegated to: David Miller
Headers show

Comments

roel kluin - July 25, 2009, 10:35 p.m.
if dev_alloc_skb() fails on the first iteration, a write to
cp->rx_ring[-1] occurs.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
Please review: can we error return like this?

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Jarek Poplawski - July 26, 2009, 9:16 p.m.
Roel Kluin wrote, On 07/26/2009 12:35 AM:

> if dev_alloc_skb() fails on the first iteration, a write to
> cp->rx_ring[-1] occurs.
> 
> Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
> ---
> Please review: can we error return like this?


I doubt we can return here: there is a lot of cleaning missing.

Jarek P.

> 
> diff --git a/drivers/net/3c515.c b/drivers/net/3c515.c
> index 3e00fa8..c84815a 100644
> --- a/drivers/net/3c515.c
> +++ b/drivers/net/3c515.c
> @@ -827,7 +827,7 @@ static int corkscrew_open(struct net_device *dev)
>  			skb = dev_alloc_skb(PKT_BUF_SZ);
>  			vp->rx_skbuff[i] = skb;
>  			if (skb == NULL)
> -				break;	/* Bad news!  */
> +				return -ENOMEM;	/* Bad news!  */
>  			skb->dev = dev;	/* Mark as being used by this device. */
>  			skb_reserve(skb, 2);	/* Align IP on 16 byte boundaries */
>  			vp->rx_ring[i].addr = isa_virt_to_bus(skb->data);
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/drivers/net/3c515.c b/drivers/net/3c515.c
index 3e00fa8..c84815a 100644
--- a/drivers/net/3c515.c
+++ b/drivers/net/3c515.c
@@ -827,7 +827,7 @@  static int corkscrew_open(struct net_device *dev)
 			skb = dev_alloc_skb(PKT_BUF_SZ);
 			vp->rx_skbuff[i] = skb;
 			if (skb == NULL)
-				break;	/* Bad news!  */
+				return -ENOMEM;	/* Bad news!  */
 			skb->dev = dev;	/* Mark as being used by this device. */
 			skb_reserve(skb, 2);	/* Align IP on 16 byte boundaries */
 			vp->rx_ring[i].addr = isa_virt_to_bus(skb->data);