From patchwork Mon Jan 17 20:24:57 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jesper Juhl <jj@chaosbits.net>
X-Patchwork-Id: 79215
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 821D9B712D
	for <patchwork-incoming@ozlabs.org>;
	Tue, 18 Jan 2011 07:25:24 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752850Ab1AQUY6 (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Mon, 17 Jan 2011 15:24:58 -0500
Received: from swampdragon.chaosbits.net ([90.184.90.115]:17817 "EHLO
	swampdragon.chaosbits.net" rhost-flags-OK-OK-OK-OK) by
	vger.kernel.org with ESMTP id S1751791Ab1AQUY4 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Mon, 17 Jan 2011 15:24:56 -0500
Received: by swampdragon.chaosbits.net (Postfix, from userid 1000)
	id 566A39403D; Mon, 17 Jan 2011 21:24:57 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by swampdragon.chaosbits.net (Postfix) with ESMTP id 4F6D59403B;
	Mon, 17 Jan 2011 21:24:57 +0100 (CET)
Date: Mon, 17 Jan 2011 21:24:57 +0100 (CET)
From: Jesper Juhl <jj@chaosbits.net>
To: netdev@vger.kernel.org
cc: linux-ns83820@kvack.org, linux-kernel@vger.kernel.org,
	Tejun Heo <tj@kernel.org>, Tejun Heo <tj@kernel.org>,
	Kulikov Vasiliy <segooon@gmail.com>,
	Denis Kirjanov <dkirjanov@kernel.org>,
	"David S. Miller" <davem@davemloft.net>,
	Benjamin LaHaise <bcrl@kvack.org>
Subject: [PATCH] ns83820: Avoid bad pointer deref in ns83820_init_one().
Message-ID: <alpine.LNX.2.00.1101172116330.27021@swampdragon.chaosbits.net>
User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

In drivers/net/ns83820.c::ns83820_init_one() we dynamically allocate 
memory via alloc_etherdev(). We then call PRIV() on the returned storage 
which is 'return netdev_priv()'. netdev_priv() takes the pointer it is 
passed and adds 'ALIGN(sizeof(struct net_device), NETDEV_ALIGN)' to it and 
returns it. Then we test the resulting pointer for NULL, which it is 
unlikely to be at this point, and later dereference it. This will go bad 
if alloc_etherdev() actually returned NULL.

This patch reworks the code slightly so that we test for a NULL pointer 
(and return -ENOMEM) directly after calling alloc_etherdev().

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
---
 ns83820.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

  Compile tested only. I have no way to test this for real.

diff --git a/drivers/net/ns83820.c b/drivers/net/ns83820.c
index 84134c7..a41b2cf 100644
--- a/drivers/net/ns83820.c
+++ b/drivers/net/ns83820.c
@@ -1988,12 +1988,11 @@ static int __devinit ns83820_init_one(struct pci_dev *pci_dev,
 	}
 
 	ndev = alloc_etherdev(sizeof(struct ns83820));
-	dev = PRIV(ndev);
-
 	err = -ENOMEM;
-	if (!dev)
+	if (!ndev)
 		goto out;
 
+	dev = PRIV(ndev);
 	dev->ndev = ndev;
 
 	spin_lock_init(&dev->rx_info.lock);