Staging: rt2860: fix possible NULL dereferences
authorRoel Kluin <roel.kluin@gmail.com>
Mon, 31 Aug 2009 10:26:43 +0000 (12:26 +0200)
committerGreg Kroah-Hartman <gregkh@suse.de>
Tue, 15 Sep 2009 19:02:33 +0000 (12:02 -0700)
Allocations may fail, prevent NULL dereferences.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Acked-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
drivers/staging/rt2860/common/ba_action.c
drivers/staging/rt2860/common/cmm_data.c
drivers/staging/rt2860/rt_main_dev.c

index 79a51640f6bc41c5eba731e07a7db99e2ae1a3d7..b7bbe99d4d57edf8cb7df564849ea45f77cd81de 100644 (file)
@@ -867,6 +867,8 @@ VOID BAOriSessionTearDown(
                        // force send specified TID DelBA
                        MLME_DELBA_REQ_STRUCT   DelbaReq;
                        MLME_QUEUE_ELEM *Elem = (MLME_QUEUE_ELEM *) kmalloc(sizeof(MLME_QUEUE_ELEM), MEM_ALLOC_FLAG);
+                       if (Elem == NULL)
+                               return;
 
                        NdisZeroMemory(&DelbaReq, sizeof(DelbaReq));
                        NdisZeroMemory(Elem, sizeof(MLME_QUEUE_ELEM));
@@ -900,6 +902,8 @@ VOID BAOriSessionTearDown(
        {
                MLME_DELBA_REQ_STRUCT   DelbaReq;
                MLME_QUEUE_ELEM *Elem = (MLME_QUEUE_ELEM *) kmalloc(sizeof(MLME_QUEUE_ELEM), MEM_ALLOC_FLAG);
+               if (Elem == NULL)
+                       return;
 
                NdisZeroMemory(&DelbaReq, sizeof(DelbaReq));
                NdisZeroMemory(Elem, sizeof(MLME_QUEUE_ELEM));
index abbbcbfcf26d5991c50be89b600bcaa372e638b6..774fabb0be406b6b549ea141ab83385973fbb9b7 100644 (file)
@@ -2011,6 +2011,8 @@ UINT deaggregate_AMSDU_announce(
                {
                    // avoid local heap overflow, use dyanamic allocation
                   MLME_QUEUE_ELEM *Elem = (MLME_QUEUE_ELEM *) kmalloc(sizeof(MLME_QUEUE_ELEM), MEM_ALLOC_FLAG);
+                  if (Elem == NULL)
+                       return;
                   memmove(Elem->Msg+(LENGTH_802_11 + LENGTH_802_1_H), pPayload, PayloadSize);
                   Elem->MsgLen = LENGTH_802_11 + LENGTH_802_1_H + PayloadSize;
                   WpaEAPOLKeyAction(pAd, Elem);
index 7f4441462a124122eea530c39cad387aef1d5999..22f37cfbefbee133a3b63690ce14d974899fa2a3 100644 (file)
@@ -777,6 +777,8 @@ INT __devinit   rt28xx_probe(
 
        // Allocate RTMP_ADAPTER miniport adapter structure
        handle = kmalloc(sizeof(struct os_cookie), GFP_KERNEL);
+       if (handle == NULL)
+               goto err_out_free_netdev;;
        RT28XX_HANDLE_DEV_ASSIGN(handle, dev_p);
 
        status = RTMPAllocAdapterBlock(handle, &pAd);