From patchwork Fri Feb 16 22:56:39 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Subash Abhinov Kasiviswanathan X-Patchwork-Id: 874698 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=codeaurora.org header.i=@codeaurora.org header.b="MTm7EUVE"; dkim=pass (1024-bit key) header.d=codeaurora.org header.i=@codeaurora.org header.b="cHTi0eDR"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zjpSQ6VRDz9t2c for ; Sat, 17 Feb 2018 09:57:26 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750996AbeBPW5Q (ORCPT ); Fri, 16 Feb 2018 17:57:16 -0500 Received: from smtp.codeaurora.org ([198.145.29.96]:49328 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750896AbeBPW5K (ORCPT ); Fri, 16 Feb 2018 17:57:10 -0500 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id 02CFA60863; Fri, 16 Feb 2018 22:57:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1518821830; bh=4SD6EdxrNWdni9CVJ0RG2qt3ZTis/Wm4SSb1uqt+/X8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MTm7EUVENpKQiQ/DmvxcelbLfJaXnyq+uXiSPnupzcd+kdFwTzrVq+j1Dm5zoJmIw uNpbYmhS3wQkJCPRG42/rr6Hue2pCj8rb7LarQWS9KPUI4w0r7I7hNnAo9sPmwtBNA QZerrhDWeBAKx+F3xYP6FtZPGgh+qVgRxyZmIpgg= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on pdx-caf-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.8 required=2.0 tests=ALL_TRUSTED,BAYES_00, DKIM_SIGNED, T_DKIM_INVALID autolearn=no autolearn_force=no version=3.4.0 Received: from subashab-lnx.qualcomm.com (unknown [129.46.15.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: subashab@codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id 5830160227; Fri, 16 Feb 2018 22:57:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1518821829; bh=4SD6EdxrNWdni9CVJ0RG2qt3ZTis/Wm4SSb1uqt+/X8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cHTi0eDReqSo3s3teq0kR9FRSN43xRl8MTXMYTUsJnO99Hnh3a68fjRNE2tybhZCj tM59PXrPGbICVHHz4nkg3/xHZYqfC3Se/UZmB7iybOcbCmlONAKHcFo45TvJL8Nre7 CrG1Z3Vygqn2fOhQS0kHxHFJpGpEzmhSq3uYMoc8= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 5830160227 Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=subashab@codeaurora.org From: Subash Abhinov Kasiviswanathan To: davem@davemloft.net, netdev@vger.kernel.org Cc: Subash Abhinov Kasiviswanathan Subject: [PATCH net 3/3] net: qualcomm: rmnet: Fix possible null dereference in command processing Date: Fri, 16 Feb 2018 15:56:39 -0700 Message-Id: <1518821799-24549-4-git-send-email-subashab@codeaurora.org> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1518821799-24549-1-git-send-email-subashab@codeaurora.org> References: <1518821799-24549-1-git-send-email-subashab@codeaurora.org> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org If a command packet with invalid mux id is received, the packet would not have a valid endpoint. This invalid endpoint maybe dereferenced leading to a crash. Identified by manual code inspection. Fixes: 3352e6c45760 ("net: qualcomm: rmnet: Convert the muxed endpoint to hlist") Signed-off-by: Subash Abhinov Kasiviswanathan --- drivers/net/ethernet/qualcomm/rmnet/rmnet_map_command.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_command.c b/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_command.c index 6bc328f..b0dbca0 100644 --- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_command.c +++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_map_command.c @@ -38,6 +38,11 @@ static u8 rmnet_map_do_flow_control(struct sk_buff *skb, } ep = rmnet_get_endpoint(port, mux_id); + if (!ep) { + kfree_skb(skb); + return RX_HANDLER_CONSUMED; + } + vnd = ep->egress_dev; ip_family = cmd->flow_control.ip_family;