Re: [BUG] mwifiex: possible null-pointer dereference in mwifiex_dnld_cmd_to_fw()

[Li Tuo]

Thanks for your feedback! I think we can test and submit a patch to drop
the excess check as the example you mentioned.

Best wishes,
Tuo Li


On 2021/8/3 4:44, Brian Norris wrote:
> Hi,
>
> On Fri, Jul 30, 2021 at 9:13 PM Li Tuo <islituo@xxxxxxxxx> wrote:
> > Our static analysis tool finds a possible null-pointer dereference in
> > the mwifiex driver in Linux 5.14.0-rc3:
> Wouldn't be the first time a static analysis tool tripped up over
> excessively redundant "safety" checks :)
>
> For example:
> https://lore.kernel.org/linux-wireless/20210731163546.10753-1-len.baker@xxxxxxx/T/#u
>
> > The variable cmd_node->cmd_skb->data is assigned to the variable
> > host_cmd, and host_cmd is checked in:
> > 190:    if (host_cmd == NULL || host_cmd->size == 0)
> >
> > This indicates that host_cmd can be NULL.
> > If so, the function mwifiex_recycle_cmd_node() will be called with the
> > argument cmd_node:
> > 196:    mwifiex_recycle_cmd_node(adapter, cmd_node);
> >
> > In this called function, the variable cmd_node->cmd_skb->data is
> > assigned to the variable host_cmd, too.
> > Thus the variable host_cmd in the function mwifiex_recycle_cmd_node()
> > can be also NULL.
> > However, it is dereferenced when calling le16_to_cpu():
> > 144:    le16_to_cpu(host_cmd->command)
> >
> > I am not quite sure whether this possible null-pointer dereference is
> > real and how to fix it if it is real.
> > Any feedback would be appreciated, thanks!
> I doubt it's real; the NULL check is probably excessive. I don't think
> there's any case in which such skb's will have no ->data. If you're
> interested, you could test and submit a "fix" to drop the excess
> check.
>
> Brian