From: Grant Grundler <grundler@parisc-linux•org>
To: Kyle McMartin <kyle@mcmartin•ca>
Cc: netdev@vger•kernel.org, Dan Carpenter <error27@gmail•com>,
grundler@parisc-linux•org
Subject: Re: Null dereference in uli526x_rx_packet()
Date: Sat, 28 Mar 2009 23:35:13 -0600 [thread overview]
Message-ID: <20090329053513.GD19602@colo.lackof.org> (raw)
In-Reply-To: <20090328032332.GA22353@bombadil.infradead.org>
On Fri, Mar 27, 2009 at 11:23:32PM -0400, Kyle McMartin wrote:
> On Fri, Mar 27, 2009 at 10:47:54PM -0400, Kyle McMartin wrote:
> > > I don't know if the right fix is to return like this patch does or to set
> > > skb = rxptr->rx_skb_ptr again.
> > >
> >
> > Ick... that's a good catch. I'll have to think about this.
> >
>
> I think this is alright, it at least keeps the original intent of the
> code. I don't pretend to have figured it out yet though.
>
> I'll stare more at this Monday...
>
> I guess the real question is does anyone still have one of these
> cards. I don't think I do, just the proper tulips. :/
Ditto. AFAIK, I only have tulips.
Patch below looks right to me. Clobbering the skb is certainly wrong.
Acked-by: Grant Grundler <grundler@parisc-linux•org>
thanks,
grant
> diff --git a/drivers/net/tulip/uli526x.c b/drivers/net/tulip/uli526x.c
> index 030e02e..9264a58 100644
> --- a/drivers/net/tulip/uli526x.c
> +++ b/drivers/net/tulip/uli526x.c
> @@ -840,13 +840,15 @@ static void uli526x_rx_packet(struct net_device *dev, struct uli526x_board_info
>
> if ( !(rdes0 & 0x8000) ||
> ((db->cr6_data & CR6_PM) && (rxlen>6)) ) {
> + struct sk_buff *new_skb = NULL;
> +
> skb = rxptr->rx_skb_ptr;
>
> /* Good packet, send to upper layer */
> /* Shorst packet used new SKB */
> - if ( (rxlen < RX_COPY_SIZE) &&
> - ( (skb = dev_alloc_skb(rxlen + 2) )
> - != NULL) ) {
> + if ((rxlen < RX_COPY_SIZE) &&
> + ((new_skb = dev_alloc_skb(rxlen + 2) != NULL))) {
> + skb = new_skb;
> /* size less than COPY_SIZE, allocate a rxlen SKB */
> skb_reserve(skb, 2); /* 16byte align */
> memcpy(skb_put(skb, rxlen),
next prev parent reply other threads:[~2009-03-29 5:35 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-27 10:31 Null dereference in uli526x_rx_packet() Dan Carpenter
2009-03-28 2:47 ` Kyle McMartin
2009-03-28 3:23 ` Kyle McMartin
2009-03-29 5:35 ` Grant Grundler [this message]
2009-03-29 6:59 ` David Miller
2009-04-13 2:45 ` Grant Grundler
2009-04-13 2:56 ` David Miller
2010-02-07 7:15 ` Grant Grundler
2010-03-27 3:21 ` David Miller
2010-03-27 6:08 ` Grant Grundler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090329053513.GD19602@colo.lackof.org \
--to=grundler@parisc-linux$(echo .)org \
--cc=error27@gmail$(echo .)com \
--cc=kyle@mcmartin$(echo .)ca \
--cc=netdev@vger$(echo .)kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox