Begin forwarded message:
Date: Sat, 22 Apr 2017 14:56:25 +0000 From: bugzilla-dae...@bugzilla.kernel.org To: step...@networkplumber.org Subject: [Bug 195503] New: tipc: unchecked return value of nlmsg_new() in function tipc_nl_node_get_monitor() https://bugzilla.kernel.org/show_bug.cgi?id=195503 Bug ID: 195503 Summary: tipc: unchecked return value of nlmsg_new() in function tipc_nl_node_get_monitor() Product: Networking Version: 2.5 Kernel Version: linux-4.11-rc7 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: Other Assignee: step...@networkplumber.org Reporter: bianpan2...@ruc.edu.cn Regression: No Function nlmsg_new() will return a NULL pointer if there is no enough memory. In function tipc_nl_node_get_monitor(), the return value of nlmsg_new() is not checked (see line 2100), which may result in bad memory access. tipc_nl_node_get_monitor @@ net/tipc/node.c 2094 int tipc_nl_node_get_monitor(struct sk_buff *skb, struct genl_info *info) 2095 { 2096 struct net *net = sock_net(skb->sk); 2097 struct tipc_nl_msg msg; 2098 int err; 2099 2100 msg.skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 2101 msg.portid = info->snd_portid; 2102 msg.seq = info->snd_seq; 2103 2104 err = __tipc_nl_add_monitor_prop(net, &msg); 2105 if (err) { 2106 nlmsg_free(msg.skb); 2107 return err; 2108 } 2109 2110 return genlmsg_reply(msg.skb, info); 2111 } Generally, the return value of nlmsg_new() should be checked against NULL, as follows. nfc_genl_target_lost @@ net/nfc/netlink.c: 213 int nfc_genl_target_lost(struct nfc_dev *dev, u32 target_idx) 214 { 215 struct sk_buff *msg; 216 void *hdr; 217 218 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 219 if (!msg) 220 return -ENOMEM; ... 237 nla_put_failure: 238 genlmsg_cancel(msg, hdr); 239 free_msg: 240 nlmsg_free(msg); 241 return -EMSGSIZE; 242 } Thanks very much for your attention! Pan Bian -- You are receiving this mail because: You are the assignee for the bug.
