[PATCH] usb: gadget: prevent potenial null pointer dereference on skb->len

From: Colin King
Date: Mon Sep 05 2016 - 11:38:50 EST

Next message: Arnd Bergmann: "Re: [PATCH] usb: dwc3: host: inherit dma configuration from parent dev"
Previous message: Boris Brezillon: "[PATCH 3/6] UBI: use vol->usable_leb_size instead of (ubi->leb_size - vol->data_pad)"
Next in thread: Peter Chen: "RE: [PATCH] usb: gadget: prevent potenial null pointer dereference on skb->len"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Colin Ian King <colin.king@xxxxxxxxxxxxx>

An earlier fix partially fixed the null pointer dereference on skb->len
by moving the assignment of len after the check on skb being non-null,
however it failed to remove the erroneous dereference when assigning len.
Correctly fix this by removing the initialisation of len as was
originally intended.

Fixes: 70237dc8efd092 ("usb: gadget: function: f_eem: socket buffer may be NULL")
Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>
---
drivers/usb/gadget/function/f_eem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/function/f_eem.c b/drivers/usb/gadget/function/f_eem.c
index 8741fd7..007ec6e 100644
--- a/drivers/usb/gadget/function/f_eem.c
+++ b/drivers/usb/gadget/function/f_eem.c
@@ -342,7 +342,7 @@ static struct sk_buff *eem_wrap(struct gether *port, struct sk_buff *skb)
struct sk_buff *skb2 = NULL;
struct usb_ep *in = port->in_ep;
int headroom, tailroom, padlen = 0;
- u16 len = skb->len;
+ u16 len;

if (!skb)
return NULL;
--
2.9.3

Next message: Arnd Bergmann: "Re: [PATCH] usb: dwc3: host: inherit dma configuration from parent dev"
Previous message: Boris Brezillon: "[PATCH 3/6] UBI: use vol->usable_leb_size instead of (ubi->leb_size - vol->data_pad)"
Next in thread: Peter Chen: "RE: [PATCH] usb: gadget: prevent potenial null pointer dereference on skb->len"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]