Multiple possible null-pointer dereferences

Daniil Berendeev pipfstarrd at openmailbox.org
Thu Sep 15 19:42:37 UTC 2016


> But, all the pasted examples looked like they were or were likely to be in
> contrib code
Yes, the pasted examples are from contrib/ code, but similar code exists
in usr.sbin/, sys/, crypto/, lib/, libexec/, sbin/, just a few examples
from sys:

1) sys/boot/ficl/ficl.c:274
void ficlFreeVM(FICL_VM *pVM)
{
    // Again, we at first dereference the pointer
    FICL_SYSTEM *pSys = pVM->pSys;
    FICL_VM *pList = pSys->vmList;

    // And then check if it is valid
    assert(pVM != 0);
    // ...

2) sys/dev/iwn/if_iwn.c:6853
	if (ss != NULL) { // we check if ss is valid
		if (ss->ss_ssid[0].len != 0) {
	
        // then some operations are performed over ss,
	// but they are all done inside the if expression.
	// Nothing is done in case ss == NULL.

        // Then, a after a bunch of lines
	// we do this (line 6933):
         if (ss->ss_nssid > 0)
		chan->flags |= htole32(IWN_CHAN_NPBREQS(1));
	
	// Nothing is done with ss between the if() statement
	// and the dereference



So, if these are actually bugs, I'd mark them as needed for fixing (as,
sometimes, it's not clear what should be done in the fail case and
should be better left up to the maintainer to decide) and send the
patches to the mailing list (among others).

-- 
Cheers~

PGP key fingerprint:
07B3 2177 3E27 BF41 DC65  CC95 BDA8 88F1 E9F9 CEEF

You can retrieve my public key at pgp.mit.edu.


More information about the freebsd-hackers mailing list