Date: Thu, 15 Sep 2016 19:36:03 +0000 From: Daniil Berendeev <pipfstarrd@openmailbox.org> To: Benjamin Kaduk <kaduk@MIT.EDU> Cc: freebsd-hackers@FreeBSD.org Subject: Re: Multiple possible null-pointer dereferences Message-ID: <7022fa33-8789-0ac1-fbc9-7c2780149b49@openmailbox.org> In-Reply-To: <alpine.GSO.1.10.1609151515460.5272@multics.mit.edu> References: <614a3aa7-a903-23f5-33b8-c367f22cd454@openmailbox.org> <alpine.GSO.1.10.1609151515460.5272@multics.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
> But, all the pasted examples looked like they were or were likely to be in
> contrib code
Yes, the pasted examples are from contrib/ code, but similar code exists
in usr.sbin/, sys/, crypto/, lib/, libexec/, sbin/, just a few examples
from sys:
1) sys/boot/ficl/ficl.c:274
void ficlFreeVM(FICL_VM *pVM)
{
// Again, we at first dereference the pointer
FICL_SYSTEM *pSys = pVM->pSys;
FICL_VM *pList = pSys->vmList;
// And then check if it is valid
assert(pVM != 0);
// ...
2) sys/dev/iwn/if_iwn.c:6853
if (ss != NULL) { // we check if ss is valid
if (ss->ss_ssid[0].len != 0) {
// then some operations are performed over ss,
// but they are all done inside the if expression.
// Nothing is done in case ss == NULL.
// Then, a after a bunch of lines
// we do this (line 6933):
if (ss->ss_nssid > 0)
chan->flags |= htole32(IWN_CHAN_NPBREQS(1));
// Nothing is done with ss between the if() statement
// and the dereference
So, if these are actually bugs, I'd mark them as needed for fixing (as,
sometimes, it's not clear what should be done in the fail case and
should be better left up to the maintainer to decide) and send the
patches to the mailing list (among others).
--
Cheers~
PGP key fingerprint:
07B3 2177 3E27 BF41 DC65 CC95 BDA8 88F1 E9F9 CEEF
You can retrieve my public key at pgp.mit.edu.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7022fa33-8789-0ac1-fbc9-7c2780149b49>