queue/staging-rtl-fix-possible-NULL-pointer-dereference.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-4.8 - Git at Google

 From 03221cc564bc45786928aa375434dfba544b4cf4 Mon Sep 17 00:00:00 2001
 From: Arnd Bergmann <arnd@arndb.de>
 Date: Wed, 11 Jan 2017 15:53:08 +0100
 Subject: [PATCH] staging: rtl: fix possible NULL pointer dereference

 commit 6e017006022abfea5d2466cad936065f45763ad1 upstream.

 gcc-7 detects that wlanhdr_to_ethhdr() in two drivers calls memcpy() with
 a destination argument that an earlier function call may have set to NULL:

 staging/rtl8188eu/core/rtw_recv.c: In function 'wlanhdr_to_ethhdr':
 staging/rtl8188eu/core/rtw_recv.c:1318:2: warning: argument 1 null where non-null expected [-Wnonnull]
 staging/rtl8712/rtl871x_recv.c: In function 'r8712_wlanhdr_to_ethhdr':
 staging/rtl8712/rtl871x_recv.c:649:2: warning: argument 1 null where non-null expected [-Wnonnull]

 I'm fixing this by adding a NULL pointer check and returning failure
 from the function, which is hopefully already handled properly.

 This seems to date back to when the drivers were originally added,
 so backporting the fix to stable seems appropriate. There are other
 related realtek drivers in the kernel, but none of them contain a
 function with a similar name or produce this warning.

 Cc: stable@vger.kernel.org
 Fixes: 1cc18a22b96b ("staging: r8188eu: Add files for new driver - part 5")
 Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel")
 Signed-off-by: Arnd Bergmann <arnd@arndb.de>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/drivers/staging/rtl8188eu/core/rtw_recv.c b/drivers/staging/rtl8188eu/core/rtw_recv.c
 index 977bb2532c3e..6751e0cd62c0 100644
 --- a/drivers/staging/rtl8188eu/core/rtw_recv.c
 +++ b/drivers/staging/rtl8188eu/core/rtw_recv.c
 @@ -1381,6 +1381,8 @@ static int wlanhdr_to_ethhdr(struct recv_frame *precvframe)
  		ptr += 24;
  	} else {
  		ptr = recvframe_pull(precvframe, (rmv_len-sizeof(struct ethhdr) + (bsnaphdr ? 2 : 0)));
 +		if (!ptr)
 +			return _FAIL;
  	}

  	memcpy(ptr, pattrib->dst, ETH_ALEN);
 diff --git a/drivers/staging/rtl8712/rtl871x_recv.c b/drivers/staging/rtl8712/rtl871x_recv.c
 index 23c143890252..b1b17390df18 100644
 --- a/drivers/staging/rtl8712/rtl871x_recv.c
 +++ b/drivers/staging/rtl8712/rtl871x_recv.c
 @@ -635,11 +635,16 @@ sint r8712_wlanhdr_to_ethhdr(union recv_frame *precvframe)
  		/* append rx status for mp test packets */
  		ptr = recvframe_pull(precvframe, (rmv_len -
  		      sizeof(struct ethhdr) + 2) - 24);
 +		if (!ptr)
 +			return _FAIL;
  		memcpy(ptr, get_rxmem(precvframe), 24);
  		ptr += 24;
 -	} else
 +	} else {
  		ptr = recvframe_pull(precvframe, (rmv_len -
  		      sizeof(struct ethhdr) + (bsnaphdr ? 2 : 0)));
 +		if (!ptr)
 +			return _FAIL;
 +	}

  	memcpy(ptr, pattrib->dst, ETH_ALEN);
  	memcpy(ptr + ETH_ALEN, pattrib->src, ETH_ALEN);
 --
 2.12.0
	From 03221cc564bc45786928aa375434dfba544b4cf4 Mon Sep 17 00:00:00 2001
	From: Arnd Bergmann <arnd@arndb.de>
	Date: Wed, 11 Jan 2017 15:53:08 +0100
	Subject: [PATCH] staging: rtl: fix possible NULL pointer dereference

	commit 6e017006022abfea5d2466cad936065f45763ad1 upstream.

	gcc-7 detects that wlanhdr_to_ethhdr() in two drivers calls memcpy() with
	a destination argument that an earlier function call may have set to NULL:

	staging/rtl8188eu/core/rtw_recv.c: In function 'wlanhdr_to_ethhdr':
	staging/rtl8188eu/core/rtw_recv.c:1318:2: warning: argument 1 null where non-null expected [-Wnonnull]
	staging/rtl8712/rtl871x_recv.c: In function 'r8712_wlanhdr_to_ethhdr':
	staging/rtl8712/rtl871x_recv.c:649:2: warning: argument 1 null where non-null expected [-Wnonnull]

	I'm fixing this by adding a NULL pointer check and returning failure
	from the function, which is hopefully already handled properly.

	This seems to date back to when the drivers were originally added,
	so backporting the fix to stable seems appropriate. There are other
	related realtek drivers in the kernel, but none of them contain a
	function with a similar name or produce this warning.

	Cc: stable@vger.kernel.org
	Fixes: 1cc18a22b96b ("staging: r8188eu: Add files for new driver - part 5")
	Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel")
	Signed-off-by: Arnd Bergmann <arnd@arndb.de>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/drivers/staging/rtl8188eu/core/rtw_recv.c b/drivers/staging/rtl8188eu/core/rtw_recv.c
	index 977bb2532c3e..6751e0cd62c0 100644
	--- a/drivers/staging/rtl8188eu/core/rtw_recv.c
	+++ b/drivers/staging/rtl8188eu/core/rtw_recv.c
	@@ -1381,6 +1381,8 @@ static int wlanhdr_to_ethhdr(struct recv_frame *precvframe)
	ptr += 24;
	} else {
	ptr = recvframe_pull(precvframe, (rmv_len-sizeof(struct ethhdr) + (bsnaphdr ? 2 : 0)));
	+ if (!ptr)
	+ return _FAIL;
	}

	memcpy(ptr, pattrib->dst, ETH_ALEN);
	diff --git a/drivers/staging/rtl8712/rtl871x_recv.c b/drivers/staging/rtl8712/rtl871x_recv.c
	index 23c143890252..b1b17390df18 100644
	--- a/drivers/staging/rtl8712/rtl871x_recv.c
	+++ b/drivers/staging/rtl8712/rtl871x_recv.c
	@@ -635,11 +635,16 @@ sint r8712_wlanhdr_to_ethhdr(union recv_frame *precvframe)
	/* append rx status for mp test packets */
	ptr = recvframe_pull(precvframe, (rmv_len -
	sizeof(struct ethhdr) + 2) - 24);
	+ if (!ptr)
	+ return _FAIL;
	memcpy(ptr, get_rxmem(precvframe), 24);
	ptr += 24;
	- } else
	+ } else {
	ptr = recvframe_pull(precvframe, (rmv_len -
	sizeof(struct ethhdr) + (bsnaphdr ? 2 : 0)));
	+ if (!ptr)
	+ return _FAIL;
	+ }

	memcpy(ptr, pattrib->dst, ETH_ALEN);
	memcpy(ptr + ETH_ALEN, pattrib->src, ETH_ALEN);
	--
	2.12.0