From owner-freebsd-hackers@freebsd.org Thu Sep 15 19:42:37 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 554EDBDBAE4 for ; Thu, 15 Sep 2016 19:42:37 +0000 (UTC) (envelope-from pipfstarrd@openmailbox.org) Received: from smtp9.openmailbox.org (smtp24.openmailbox.org [62.4.1.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 18041BAE for ; Thu, 15 Sep 2016 19:42:36 +0000 (UTC) (envelope-from pipfstarrd@openmailbox.org) Received: by mail.openmailbox.org (Postfix, from userid 20002) id 93EEF202B7B; Thu, 15 Sep 2016 21:35:37 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=openmailbox.org; s=openmailbox; t=1473968137; bh=cSU82mkskDePsspXMQbUe9FxZZ4NNQPsrN7wG7rKxA0=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=Gjt+uL4B6g49nKlnXDU9MgxVlRiQQmNjlUb1CmR+tU2ZSA9HRp4etXnOziNace7Yk KnSviPsUop2Jey68fOa8dltmwzEGjzifRlx6iefSrmcz8nhTUAPtferKOZW6VtQhIf CYr92+VaLFotIxdBIJxzNhxFunYMTCSHBJch6ys4= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on h3 X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NO_RECEIVED, NO_RELAYS,T_DKIM_INVALID autolearn=no autolearn_force=no version=3.4.0 Subject: Re: Multiple possible null-pointer dereferences DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=openmailbox.org; s=openmailbox; t=1473968137; bh=cSU82mkskDePsspXMQbUe9FxZZ4NNQPsrN7wG7rKxA0=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=Gjt+uL4B6g49nKlnXDU9MgxVlRiQQmNjlUb1CmR+tU2ZSA9HRp4etXnOziNace7Yk KnSviPsUop2Jey68fOa8dltmwzEGjzifRlx6iefSrmcz8nhTUAPtferKOZW6VtQhIf CYr92+VaLFotIxdBIJxzNhxFunYMTCSHBJch6ys4= To: Benjamin Kaduk References: <614a3aa7-a903-23f5-33b8-c367f22cd454@openmailbox.org> Cc: freebsd-hackers@FreeBSD.org From: Daniil Berendeev Message-ID: <7022fa33-8789-0ac1-fbc9-7c2780149b49@openmailbox.org> Date: Thu, 15 Sep 2016 19:36:03 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2016 19:42:37 -0000 > But, all the pasted examples looked like they were or were likely to be in > contrib code Yes, the pasted examples are from contrib/ code, but similar code exists in usr.sbin/, sys/, crypto/, lib/, libexec/, sbin/, just a few examples from sys: 1) sys/boot/ficl/ficl.c:274 void ficlFreeVM(FICL_VM *pVM) { // Again, we at first dereference the pointer FICL_SYSTEM *pSys = pVM->pSys; FICL_VM *pList = pSys->vmList; // And then check if it is valid assert(pVM != 0); // ... 2) sys/dev/iwn/if_iwn.c:6853 if (ss != NULL) { // we check if ss is valid if (ss->ss_ssid[0].len != 0) { // then some operations are performed over ss, // but they are all done inside the if expression. // Nothing is done in case ss == NULL. // Then, a after a bunch of lines // we do this (line 6933): if (ss->ss_nssid > 0) chan->flags |= htole32(IWN_CHAN_NPBREQS(1)); // Nothing is done with ss between the if() statement // and the dereference So, if these are actually bugs, I'd mark them as needed for fixing (as, sometimes, it's not clear what should be done in the fail case and should be better left up to the maintainer to decide) and send the patches to the mailing list (among others). -- Cheers~ PGP key fingerprint: 07B3 2177 3E27 BF41 DC65 CC95 BDA8 88F1 E9F9 CEEF You can retrieve my public key at pgp.mit.edu.