From f6e2cdc8aa395ea813603bfd81b70b5c461a8ebf Mon Sep 17 00:00:00 2001 From: Jesper Juhl Date: Fri, 8 Dec 2006 02:39:34 -0800 Subject: [PATCH] ISDN: Avoid a potential NULL ptr deref in ippp There's a potential problem in isdn_ppp.c::isdn_ppp_decompress(). dev_alloc_skb() may fail and return NULL. If it does we will be passing a NULL skb_out to ipc->decompress() and may also end up dereferencing a NULL pointer at *proto = isdn_ppp_strip_proto(skb_out); Correct this by testing 'skb_out' against NULL early and bail out. Signed-off-by: Jesper Juhl Cc: Karsten Keil Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/isdn/i4l/isdn_ppp.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'drivers/isdn/i4l') diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c index 1751990..26e4672 100644 --- a/drivers/isdn/i4l/isdn_ppp.c +++ b/drivers/isdn/i4l/isdn_ppp.c @@ -2536,6 +2536,11 @@ static struct sk_buff *isdn_ppp_decompress(struct sk_buff *skb,struct ippp_struc rsparm.maxdlen = IPPP_RESET_MAXDATABYTES; skb_out = dev_alloc_skb(is->mru + PPP_HDRLEN); + if (!skb_out) { + kfree_skb(skb); + printk(KERN_ERR "ippp: decomp memory allocation failure\n"); + return NULL; + } len = ipc->decompress(stat, skb, skb_out, &rsparm); kfree_skb(skb); if (len <= 0) { -- cgit v1.1