From: Jesper Juhl Date: Fri, 8 Dec 2006 10:39:34 +0000 (-0800) Subject: [PATCH] ISDN: Avoid a potential NULL ptr deref in ippp X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=f6e2cdc8aa395ea813603bfd81b70b5c461a8ebf;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git [PATCH] ISDN: Avoid a potential NULL ptr deref in ippp There's a potential problem in isdn_ppp.c::isdn_ppp_decompress(). dev_alloc_skb() may fail and return NULL. If it does we will be passing a NULL skb_out to ipc->decompress() and may also end up dereferencing a NULL pointer at *proto = isdn_ppp_strip_proto(skb_out); Correct this by testing 'skb_out' against NULL early and bail out. Signed-off-by: Jesper Juhl Cc: Karsten Keil Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c index 175199088bf4..26e46720fc1c 100644 --- a/drivers/isdn/i4l/isdn_ppp.c +++ b/drivers/isdn/i4l/isdn_ppp.c @@ -2536,6 +2536,11 @@ static struct sk_buff *isdn_ppp_decompress(struct sk_buff *skb,struct ippp_struc rsparm.maxdlen = IPPP_RESET_MAXDATABYTES; skb_out = dev_alloc_skb(is->mru + PPP_HDRLEN); + if (!skb_out) { + kfree_skb(skb); + printk(KERN_ERR "ippp: decomp memory allocation failure\n"); + return NULL; + } len = ipc->decompress(stat, skb, skb_out, &rsparm); kfree_skb(skb); if (len <= 0) {