usbnet_start_xmit() - If info->tx_fixup is not defined by class driver, NULL check does not happen for skb pointer and leads to NULL dereference. __usbnet_read_cmd() - if data pointer is passed as NULL, memcpy will dereference NULL pointer.
Signed-off-by: Vivek Kumar Bhagat <[email protected]> --- drivers/net/usb/usbnet.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c index 3c86b10..ec4d224 100644 --- a/drivers/net/usb/usbnet.c +++ b/drivers/net/usb/usbnet.c @@ -1294,6 +1294,8 @@ netdev_tx_t usbnet_start_xmit (struct sk_buff *skb, if (skb) skb_tx_timestamp(skb); + else + goto drop; // some devices want funky USB-level framing, for // win32 driver (usually) and/or hardware quirks @@ -1906,7 +1908,8 @@ static int __usbnet_read_cmd(struct usbnet *dev, u8 cmd, u8 reqtype, buf = kmalloc(size, GFP_KERNEL); if (!buf) goto out; - } + } else + goto out; err = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0), cmd, reqtype, value, index, buf, size, -- 1.7.9.5
