Multiple possible null-pointer dereferences
Daniil Berendeev
pipfstarrd at openmailbox.org
Thu Sep 15 19:42:37 UTC 2016
> But, all the pasted examples looked like they were or were likely to be in
> contrib code
Yes, the pasted examples are from contrib/ code, but similar code exists
in usr.sbin/, sys/, crypto/, lib/, libexec/, sbin/, just a few examples
from sys:
1) sys/boot/ficl/ficl.c:274
void ficlFreeVM(FICL_VM *pVM)
{
// Again, we at first dereference the pointer
FICL_SYSTEM *pSys = pVM->pSys;
FICL_VM *pList = pSys->vmList;
// And then check if it is valid
assert(pVM != 0);
// ...
2) sys/dev/iwn/if_iwn.c:6853
if (ss != NULL) { // we check if ss is valid
if (ss->ss_ssid[0].len != 0) {
// then some operations are performed over ss,
// but they are all done inside the if expression.
// Nothing is done in case ss == NULL.
// Then, a after a bunch of lines
// we do this (line 6933):
if (ss->ss_nssid > 0)
chan->flags |= htole32(IWN_CHAN_NPBREQS(1));
// Nothing is done with ss between the if() statement
// and the dereference
So, if these are actually bugs, I'd mark them as needed for fixing (as,
sometimes, it's not clear what should be done in the fail case and
should be better left up to the maintainer to decide) and send the
patches to the mailing list (among others).
--
Cheers~
PGP key fingerprint:
07B3 2177 3E27 BF41 DC65 CC95 BDA8 88F1 E9F9 CEEF
You can retrieve my public key at pgp.mit.edu.
More information about the freebsd-hackers
mailing list