[net-wireless-orinoco] question about potential null pointer dereference
From: Gustavo A. R. Silva
Date: Tue May 30 2017 - 13:00:40 EST
Hello everybody,
While looking into Coverity ID 1357460 I ran into the following piece
of code at drivers/net/wireless/intersil/orinoco/mic.c:48
48int orinoco_mic(struct crypto_shash *tfm_michael, u8 *key,
49 u8 *da, u8 *sa, u8 priority,
50 u8 *data, size_t data_len, u8 *mic)
51{
52 SHASH_DESC_ON_STACK(desc, tfm_michael);
53 u8 hdr[ETH_HLEN + 2]; /* size of header + padding */
54 int err;
55
56 if (tfm_michael == NULL) {
57 printk(KERN_WARNING "orinoco_mic: tfm_michael == NULL\n");
58 return -1;
59 }
60
61 /* Copy header into buffer. We need the padding on the end zeroed */
62 memcpy(&hdr[0], da, ETH_ALEN);
63 memcpy(&hdr[ETH_ALEN], sa, ETH_ALEN);
64 hdr[ETH_ALEN * 2] = priority;
65 hdr[ETH_ALEN * 2 + 1] = 0;
66 hdr[ETH_ALEN * 2 + 2] = 0;
67 hdr[ETH_ALEN * 2 + 3] = 0;
68
69 desc->tfm = tfm_michael;
70 desc->flags = 0;
71
72 err = crypto_shash_setkey(tfm_michael, key, MIC_KEYLEN);
73 if (err)
74 return err;
75
76 err = crypto_shash_init(desc);
77 if (err)
78 return err;
79
80 err = crypto_shash_update(desc, hdr, sizeof(hdr));
81 if (err)
82 return err;
83
84 err = crypto_shash_update(desc, data, data_len);
85 if (err)
86 return err;
87
88 err = crypto_shash_final(desc, mic);
89 shash_desc_zero(desc);
90
91 return err;
92}
The issue here is that line 56 implies that pointer tfm_michael might
be NULL. If this is the case, there is a potential NULL pointer
dereference at line 52 once pointer tfm_michael is indirectly
dereferenced inside macro SHASH_DESC_ON_STACK().
My question is if there is any chance that pointer tfm_michael might
be NULL when calling macro SHASH_DESC_ON_STACK() ?
I'm trying to figure out if this is a false positive or something that
needs to be fixed somehow.
I'd really appreciate any comment on this.
Thank you!
--
Gustavo A. R. Silva