Re: [PATCH] wifi: ipw2x00: Fix potential NULL crypt->ops dereference in libipw_xmit()

Next message: Simon Horman: "Re: [PATCH V2 net-next 0/6] net: hns3: enhance tc flow offload support"
Previous message: Hongling Zeng: "[PATCH] gpib: fmh_gpib: Fix resource leaks in fmh_gpib_attach_impl"
In reply to: Nikolay Kuratov: "[PATCH] wifi: ipw2x00: Fix potential NULL crypt-&gt;ops dereference in libipw_xmit()"
Next in thread: Nikolay Kuratov: "Re:[PATCH] wifi: ipw2x00: Fix potential NULL crypt-&gt;ops dereference in libipw_xmit()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Johannes Berg

Date: Wed May 27 2026 - 05:59:19 EST

On Wed, 2026-05-27 at 12:08 +0300, Nikolay Kuratov wrote:
> crypt and crypt->ops could be null, so we need to checking null
> before dereference
>
> Previously the commit
> e8366bbabe1d ("ipw2x00: Fix potential NULL dereference in libipw_xmit()")
> partially fixed that same issue in libipw_xmit().
> This is similar to CVE-2022-49544.
>
> Found by Svace static analysis tool.

Might want to fix your tool to look deeper than just pattern-matching
the surrounding code :) The prior commit was also already wrong.

We already have

host_encrypt = ieee->host_encrypt && encrypt && crypt;

so "host_encrypt && crypt" is equivalent to checking just
"host_encrypt".

And the only way to set the crypt[] array where a non-NULL 'crypt' comes
from will always have ops, so "crypt && crypt->ops" is equivalent to
checking just "crypt".

johannes