Commit 231086e6 authored Aug 14, 2023 by Dmitry Antipov Committed by Greg Kroah-Hartman Sep 23, 2023

wifi: mwifiex: avoid possible NULL skb pointer dereference



[ Upstream commit 35a7a1ce7c7d61664ee54f5239a1f120ab95a87e ]

In 'mwifiex_handle_uap_rx_forward()', always check the value
returned by 'skb_copy()' to avoid potential NULL pointer
dereference in 'mwifiex_uap_queue_bridged_pkt()', and drop
original skb in case of copying failure.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 838e4f44 ("mwifiex: improve uAP RX handling")
Acked-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230814095041.16416-1-dmantipov@yandex.ru


Signed-off-by: Sasha Levin <sashal@kernel.org>

parent 5f6f00bc

drivers/net/wireless/marvell/mwifiex/uap_txrx.c

+9 −1

Original line number	Diff line number	Diff line
		@@ -265,7 +265,15 @@ int mwifiex_handle_uap_rx_forward(struct mwifiex_private *priv,

		if (is_multicast_ether_addr(ra)) {
		skb_uap = skb_copy(skb, GFP_ATOMIC);
		if (likely(skb_uap)) {
		mwifiex_uap_queue_bridged_pkt(priv, skb_uap);
		} else {
		mwifiex_dbg(adapter, ERROR,
		"failed to copy skb for uAP\n");
		priv->stats.rx_dropped++;
		dev_kfree_skb_any(skb);
		return -1;
		}
		} else {
		if (mwifiex_get_sta_entry(priv, ra)) {
		/* Requeue Intra-BSS packet */