From 3d4bd24b019981394fabb465b0c7932924b83d65 Mon Sep 17 00:00:00 2001 From: Florin Malita Date: Fri, 18 May 2007 16:04:33 -0400 Subject: [PATCH] libertas: skb dereferenced after netif_rx In libertas_process_rxed_packet() and process_rxed_802_11_packet() the skb is dereferenced after being passed to netif_rx (called from libertas_upload_rx_packet). Spotted by Coverity (1658, 1659). Also, libertas_upload_rx_packet() unconditionally returns 0 so the error check is dead code - might as well take it out and change the signature. Signed-off-by: Florin Malita Signed-off-by: John W. Linville --- drivers/net/wireless/libertas/decl.h | 2 +- drivers/net/wireless/libertas/rx.c | 22 +++++----------------- 2 files changed, 6 insertions(+), 18 deletions(-) diff --git a/drivers/net/wireless/libertas/decl.h b/drivers/net/wireless/libertas/decl.h index 606bdd002be..dfe27642322 100644 --- a/drivers/net/wireless/libertas/decl.h +++ b/drivers/net/wireless/libertas/decl.h @@ -46,7 +46,7 @@ u32 libertas_index_to_data_rate(u8 index); u8 libertas_data_rate_to_index(u32 rate); void libertas_get_fwversion(wlan_adapter * adapter, char *fwversion, int maxlen); -int libertas_upload_rx_packet(wlan_private * priv, struct sk_buff *skb); +void libertas_upload_rx_packet(wlan_private * priv, struct sk_buff *skb); /** The proc fs interface */ int libertas_process_rx_command(wlan_private * priv); diff --git a/drivers/net/wireless/libertas/rx.c b/drivers/net/wireless/libertas/rx.c index d17924f764e..b19b5aa8713 100644 --- a/drivers/net/wireless/libertas/rx.c +++ b/drivers/net/wireless/libertas/rx.c @@ -136,7 +136,7 @@ static void wlan_compute_rssi(wlan_private * priv, struct rxpd *p_rx_pd) LEAVE(); } -int libertas_upload_rx_packet(wlan_private * priv, struct sk_buff *skb) +void libertas_upload_rx_packet(wlan_private * priv, struct sk_buff *skb) { lbs_pr_debug(1, "skb->data=%p\n", skb->data); @@ -148,8 +148,6 @@ int libertas_upload_rx_packet(wlan_private * priv, struct sk_buff *skb) skb->ip_summed = CHECKSUM_UNNECESSARY; netif_rx(skb); - - return 0; } /** @@ -269,15 +267,11 @@ int libertas_process_rxed_packet(wlan_private * priv, struct sk_buff *skb) wlan_compute_rssi(priv, p_rx_pd); lbs_pr_debug(1, "RX Data: size of actual packet = %d\n", skb->len); - if (libertas_upload_rx_packet(priv, skb)) { - lbs_pr_debug(1, "RX error: libertas_upload_rx_packet" - " returns failure\n"); - ret = -1; - goto done; - } priv->stats.rx_bytes += skb->len; priv->stats.rx_packets++; + libertas_upload_rx_packet(priv, skb); + ret = 0; done: LEAVE(); @@ -438,17 +432,11 @@ static int process_rxed_802_11_packet(wlan_private * priv, struct sk_buff *skb) wlan_compute_rssi(priv, prxpd); lbs_pr_debug(1, "RX Data: size of actual packet = %d\n", skb->len); - - if (libertas_upload_rx_packet(priv, skb)) { - lbs_pr_debug(1, "RX error: libertas_upload_rx_packet " - "returns failure\n"); - ret = -1; - goto done; - } - priv->stats.rx_bytes += skb->len; priv->stats.rx_packets++; + libertas_upload_rx_packet(priv, skb); + ret = 0; done: LEAVE(); -- cgit v1.2.3 From 596f2d0554352f1089f7478b309b27d8cdf5cd4f Mon Sep 17 00:00:00 2001 From: Eugene Teo Date: Sat, 19 May 2007 11:09:20 +0800 Subject: [PATCH] drivers/net/wireless/libertas/fw.c: fix use-before-check NULL checks should be performed before the dereference. Spotted by the Coverity checker. Signed-off-by: Eugene Teo Signed-off-by: John W. Linville --- drivers/net/wireless/libertas/fw.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/libertas/fw.c b/drivers/net/wireless/libertas/fw.c index 441123c85e6..5c63c9b1659 100644 --- a/drivers/net/wireless/libertas/fw.c +++ b/drivers/net/wireless/libertas/fw.c @@ -333,18 +333,22 @@ static void command_timer_fn(unsigned long data) unsigned long flags; ptempnode = adapter->cur_cmd; + if (ptempnode == NULL) { + lbs_pr_debug(1, "PTempnode Empty\n"); + return; + } + cmd = (struct cmd_ds_command *)ptempnode->bufvirtualaddr; + if (!cmd) { + lbs_pr_debug(1, "cmd is NULL\n"); + return; + } lbs_pr_info("command_timer_fn fired (%x)\n", cmd->command); if (!adapter->fw_ready) return; - if (ptempnode == NULL) { - lbs_pr_debug(1, "PTempnode Empty\n"); - return; - } - spin_lock_irqsave(&adapter->driver_lock, flags); adapter->cur_cmd = NULL; spin_unlock_irqrestore(&adapter->driver_lock, flags); -- cgit v1.2.3 From 412e8a0ebf1a58c060cc76438e5b6d33789c5e20 Mon Sep 17 00:00:00 2001 From: Eugene Teo Date: Mon, 21 May 2007 22:30:22 +0800 Subject: [PATCH] drivers/net/wireless/libertas/rx.c: fix use-after-free skb could have been freed by then. Also, in libertas_upload_rx_packet(), skb->protocol is initialized by eth_type_trans(). Signed-off-by: Eugene Teo Signed-off-by: John W. Linville --- drivers/net/wireless/libertas/rx.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/net/wireless/libertas/rx.c b/drivers/net/wireless/libertas/rx.c index b19b5aa8713..96619a32951 100644 --- a/drivers/net/wireless/libertas/rx.c +++ b/drivers/net/wireless/libertas/rx.c @@ -441,7 +441,5 @@ static int process_rxed_802_11_packet(wlan_private * priv, struct sk_buff *skb) done: LEAVE(); - skb->protocol = __constant_htons(0x0019); /* ETH_P_80211_RAW */ - return (ret); } -- cgit v1.2.3