From owner-freebsd-hackers@FreeBSD.ORG Wed Aug 18 22:29:40 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D3B816A4CE for ; Wed, 18 Aug 2004 22:29:40 +0000 (GMT) Received: from coverity.dreamhost.com (coverity.dreamhost.com [66.33.192.105]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC39A43D46 for ; Wed, 18 Aug 2004 22:29:39 +0000 (GMT) (envelope-from tedu@coverity.com) Received: from coverity.com (dsl093-171-098.sfo4.dsl.speakeasy.net [66.93.171.98]) by coverity.dreamhost.com (Postfix) with ESMTP id 5F31290887 for ; Wed, 18 Aug 2004 15:29:39 -0700 (PDT) Message-ID: <4123049E.9000900@coverity.com> Date: Wed, 18 Aug 2004 00:26:22 -0700 From: Ted Unangst User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040429 X-Accept-Language: en-us, en MIME-Version: 1.0 To: hackers@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 19 Aug 2004 12:18:30 +0000 Subject: too late null checks X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 22:29:40 -0000 Bugs found with Coverity's automated analysis. In each case, either the NULL check is unnecessary, or it's too late because the variable was already deref'd. dev/firewire/fwohci.c:dump_db (debugging function) pp can not be null (crash if it is) dev/mpt/mpt_pci.c:mpt_detach a null mpt won't survive mpt_prt netinet/tcp_subr.c:tcp_mtudisc tp has already been dereferenced to obtain isipv6 result usb/dev/urio.c:urio_attach if uaa->device can be null, usbd_devinfo already used it. cam/cam_xpt.c:xptplistperiphfunc check at line 2532 looks wrong. perhaps should be *pdrv == NULL? dev/twe/twe.c:twe_ioctl if you make it to line 552, tr is definitely not null. kern/vfs_subr.c:reassignbufs (4.10) 1408 while (tbp && tbp->b_lblkno < 0) 1409 tdp = TAILQ_PREV(tbp, buflists, b_vnbufs); 1410 TAILQ_INSERT_AFTER(listheadp, tbp, bp, b_vnbufs); if the first while() test fails, tailq insert will crash. i'm not sure where this code went in current. some other bugs of a similar nature have already been fixed or the code removed in current, let me know if you are still interested in 4.10 results.