Date: Thu, 19 Feb 2004 17:45:54 -0800 (PST) From: "Ted Unangst" <tedu@coverity.com> To: hackers@freebsd.org Subject: NULL pointer dereferences Message-ID: <19391.66.93.171.98.1077241554.spork@webmail.coverity.com>
next in thread | raw e-mail | index | archive | help
------=_20040219174554_21685
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Some more. There are bugs where the code checks for NULL after using the
pointer. Usually means the check should be earlier, or is unnecessary.
------=_20040219174554_21685
Content-Type: text/plain; name="report-rev"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="report-rev"
############################################################
# New errors.
#
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/twe/twe_freebsd.c|747|twed_dump|ERROR|REVERSE_NULL| 746|747| dereference of twed_sc preceeds check!
int error;
struct disk *dp;
dp = arg;
twed_sc = (struct twed_softc *)dp->d_drv1;
Start --->
twe_sc = (struct twe_softc *)twed_sc->twed_controller;
Error --->
if (!twed_sc || !twe_sc)
return(ENXIO);
if (length > 0) {
if ((error = twe_dump_blocks(twe_sc, twed_sc->twed_drive->td_twe_unit, offset / TWE_BLOCK_SIZE, virtual, length / TWE_BLOCK_SIZE)) != 0)
return(error);
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/netgraph/atm/uni/ng_uni.c|590|uni_uni_output|ERROR|REVERSE_NULL| 589|590| dereference of msg preceeds check! [START_RELAX0=filename|/home/tedu/sys/netgraph/atm/ngatmbase.c,fn|uni_msg_pack_mbuf,line1|152,line2|-1,argno|0]
return;
}
arg.sig = sig;
arg.cookie = cookie;
Start --->
m = uni_msg_pack_mbuf(msg, &arg, sizeof(arg));
Error --->
if (msg != NULL)
uni_msg_destroy(msg);
if (m == NULL)
return;
NG_SEND_DATA_ONLY(error, priv->upper, m);
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/cam/scsi/scsi_da.c|461|daopen|ERROR|REVERSE_NULL| 460|461| dereference of periph preceeds check!
int error;
int s;
s = splsoftcam();
periph = (struct cam_periph *)dp->d_drv1;
Start --->
unit = periph->unit_number;
Error --->
if (periph == NULL) {
splx(s);
return (ENXIO);
}
softc = (struct da_softc *)periph->softc;
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/trm/trm.c|1341|trm_Interrupt|ERROR|REVERSE_NULL| 1340|1341| dereference of pDCB preceeds check!
return;
}
if (scsi_intstatus & (INT_BUSSERVICE | INT_CMDDONE)) {
pDCB = pACB->pActiveDCB;
Start --->
pSRB = pDCB->pActiveSRB;
Error --->
if (pDCB) {
if (pDCB->DCBFlag & ABORT_DEV_)
trm_EnableMsgOutAbort1(pACB, pSRB);
}
phase = (u_int16_t) pSRB->ScsiPhase; /* phase: */
stateV = (void *) trm_SCSI_phase0[phase];
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/amr/amr_disk.c|161|amrd_dump|ERROR|REVERSE_NULL| 160|161| dereference of amrd_sc preceeds check!
int error;
struct disk *dp;
dp = arg;
amrd_sc = (struct amrd_softc *)dp->d_drv1;
Start --->
amr_sc = (struct amr_softc *)amrd_sc->amrd_controller;
Error --->
if (!amrd_sc || !amr_sc)
return(ENXIO);
if (length > 0) {
int driveno = amrd_sc->amrd_drive - amr_sc->amr_drive;
if ((error = amr_dump_blocks(amr_sc,driveno,offset / AMR_BLKSIZE ,(void *)virtual,(int) length / AMR_BLKSIZE )) != 0)
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/kern/uipc_usrreq.c|1097|unp_init|ERROR|REVERSE_NULL| 1096|1097| dereference of unp_zone preceeds check! [START_RELAX0=filename|/home/tedu/sys/vm/uma_core.c,fn|uma_zone_set_max,line1|1913,line2|-1,argno|0]
void
unp_init(void)
{
unp_zone = uma_zcreate("unpcb", sizeof(struct unpcb), NULL, NULL,
NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
Start --->
uma_zone_set_max(unp_zone, nmbclusters);
Error --->
if (unp_zone == 0)
panic("unp_init");
LIST_INIT(&unp_dhead);
LIST_INIT(&unp_shead);
}
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/netgraph/ng_gif.c|270|ng_gif_detach|ERROR|REVERSE_NULL| 268|270| dereference of node preceeds check! [START_RELAX0=filename|/home/tedu/sys/i386/compile/GENERIC/modules/home/tedu/sys/modules/netgraph/gif/@/netgraph/netgraph.h,fn|_ng_node_private,line1|472,line2|-1,argno|0]
*/
static void
ng_gif_detach(struct ifnet *ifp)
{
const node_p node = IFP2NG(ifp);
Start --->
const priv_p priv = NG_NODE_PRIVATE(node);
Error --->
if (node == NULL) /* no node (why not?), ignore */
return;
NG_NODE_REALLY_DIE(node); /* Force real removal of node */
/*
* We can't assume the ifnet is still around when we run shutdown
* So zap it now. XXX We HOPE that anything running at this time
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/raidframe/rf_paritylog.c|695|rf_ParityLogAppend|ERROR|REVERSE_NULL| 693|695| dereference of logData preceeds check!
* Later, as conditions which required the block are removed, the work
* reenters this routine with the "finish" parameter set to "RF_TRUE."
*
* NON-BLOCKING */
Start --->
raidPtr = logData->common->raidPtr;
/* lock the region for the first item in logData */
Error --->
RF_ASSERT(logData != NULL);
regionID = logData->regionID;
RF_LOCK_MUTEX(raidPtr->regionInfo[regionID].mutex);
RF_ASSERT(raidPtr->regionInfo[regionID].loggingEnabled);
if (clearReintFlag) {
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/firewire/firewire.c|955|fw_xfer_alloc_buf|ERROR|REVERSE_NULL| 953|955| dereference of xfer preceeds check!
fw_xfer_alloc_buf(struct malloc_type *type, int send_len, int recv_len)
{
struct fw_xfer *xfer;
xfer = fw_xfer_alloc(type);
Start --->
xfer->send.pay_len = send_len;
xfer->recv.pay_len = recv_len;
Error --->
if (xfer == NULL)
return(NULL);
if (send_len > 0) {
xfer->send.payload = malloc(send_len, type, M_NOWAIT | M_ZERO);
if (xfer->send.payload == NULL) {
fw_xfer_free(xfer);
------=_20040219174554_21685--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19391.66.93.171.98.1077241554.spork>