In some places, the return value of msgb_alloc/msgb_alloc_headroom is not checked before it is dereferenced.

This commit adds NULL checks to return with -ENOMEM from the calling functions if the alloc function has failed.

Fixes: Coverity CID 1249692, 1293376 Sponsored-by: On-Waves ehf --- src/gsm/lapdm.c | 3 +++ src/sim/reader.c | 3 +++ 2 files changed, 6 insertions(+)

diff --git a/src/gsm/lapdm.c b/src/gsm/lapdm.c index 698f850..54d3a0b 100644 --- a/src/gsm/lapdm.c +++ b/src/gsm/lapdm.c @@ -675,6 +675,9 @@ static int l2_ph_rach_ind(struct lapdm_entity *le, uint8_t ra, uint32_t fn, uint struct gsm_time gt; struct msgb *msg = msgb_alloc_headroom(512, 64, "RSL CHAN RQD");

+ if (!msg) + return -ENOMEM; + msg->l2h = msgb_push(msg, sizeof(*ch)); ch = (struct abis_rsl_cchan_hdr *)msg->l2h; rsl_init_cchan_hdr(ch, RSL_MT_CHAN_RQD); diff --git a/src/sim/reader.c b/src/sim/reader.c index 160f175..e7169b5 100644 --- a/src/sim/reader.c +++ b/src/sim/reader.c @@ -58,6 +58,9 @@ static int transceive_apdu_t0(struct osim_card_hdl *st, struct msgb *amsg) uint16_t sw; int rc, num_resp = 0;

+ if (!tmsg) + return -ENOMEM; + /* create TPDU header from APDU header */ tpduh = (struct osim_apdu_cmd_hdr *) msgb_put(tmsg, sizeof(*tpduh)); memcpy(tpduh, msgb_apdu_h(amsg), sizeof(*tpduh));