Date: Mon, 17 Nov 2008 17:51:52 +0100 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Philip Paeps <philip@FreeBSD.org> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r185021 - head/sys/dev/glxsb Message-ID: <20081117165006.GA1489@garage.freebsd.pl> In-Reply-To: <200811170709.mAH79ecr075977@svn.freebsd.org> References: <200811170709.mAH79ecr075977@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--v9Ux+11Zm5mwPlX6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 17, 2008 at 07:09:40AM +0000, Philip Paeps wrote: > Author: philip > Date: Mon Nov 17 07:09:40 2008 > New Revision: 185021 > URL: http://svn.freebsd.org/changeset/base/185021 >=20 > Log: > Fix two possible (but unlikely) NULL-pointer dereferences in glxsb(4). > > Spotted by: Coverity > MFC after: 1 week > > Modified: > head/sys/dev/glxsb/glxsb.c >=20 > Modified: head/sys/dev/glxsb/glxsb.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- head/sys/dev/glxsb/glxsb.c Mon Nov 17 07:03:05 2008 (r185020) > +++ head/sys/dev/glxsb/glxsb.c Mon Nov 17 07:09:40 2008 (r185021) > @@ -358,7 +358,8 @@ glxsb_detach(device_t dev) > return (EBUSY); > } > } > - while ((ses =3D TAILQ_FIRST(&sc->sc_sessions)) !=3D NULL) { > + while (!TAILQ_EMPTY(&sc->sc_sessions)) { > + ses =3D TAILQ_FIRST(&sc->sc_sessions); This is perfectly valid, and if it was reported by coverity, it is a false positive. > TAILQ_REMOVE(&sc->sc_sessions, ses, ses_next); > free(ses, M_GLXSB); > } > @@ -867,8 +868,11 @@ glxsb_crypto_process(device_t dev, struc > =20 > enccrd =3D maccrd =3D NULL; > =20 > - if (crp =3D=3D NULL || > - crp->crp_callback =3D=3D NULL || crp->crp_desc =3D=3D NULL) { > + /* Sanity check. */ > + if (crp =3D=3D NULL) > + return (EINVAL); > + > + if (crp->crp_callback =3D=3D NULL || crp->crp_desc =3D=3D NULL) { > error =3D EINVAL; > goto fail; > } This one is ok. The same one exists in padlock(4), could you fix it too? --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --v9Ux+11Zm5mwPlX6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFJIaEnForvXbEpPzQRAvGJAKDj1rBiE87U8NhGD5Ysx9OZw9Uj7QCg7NFn ZBs/4Fit8tewl0kGyhj4N6E= =K407 -----END PGP SIGNATURE----- --v9Ux+11Zm5mwPlX6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081117165006.GA1489>