From owner-freebsd-hackers@FreeBSD.ORG Thu Feb 19 17:46:54 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A989B16A4CE for ; Thu, 19 Feb 2004 17:46:54 -0800 (PST) Received: from pochacco.sd.dreamhost.com (pochacco.sd.dreamhost.com [66.33.206.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B61643D2F for ; Thu, 19 Feb 2004 17:46:54 -0800 (PST) (envelope-from tedu@coverity.com) Received: from webmail.coverity.com (localhost [127.0.0.1]) by pochacco.sd.dreamhost.com (Postfix) with SMTP id D9D2E8FF9D for ; Thu, 19 Feb 2004 17:45:54 -0800 (PST) Received: from 66.93.171.98 (SquirrelMail authenticated user tedu@coverity.com) by webmail.coverity.com with HTTP; Thu, 19 Feb 2004 17:45:54 -0800 (PST) Message-ID: <19391.66.93.171.98.1077241554.spork@webmail.coverity.com> Date: Thu, 19 Feb 2004 17:45:54 -0800 (PST) From: "Ted Unangst" To: hackers@freebsd.org User-Agent: DreamHost Webmail MIME-Version: 1.0 Content-Type: multipart/mixed;boundary="----=_20040219174554_21685" X-Mailman-Approved-At: Thu, 19 Feb 2004 20:39:19 -0800 Subject: NULL pointer dereferences X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2004 01:46:54 -0000 ------=_20040219174554_21685 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Some more. There are bugs where the code checks for NULL after using the pointer. Usually means the check should be earlier, or is unnecessary. ------=_20040219174554_21685 Content-Type: text/plain; name="report-rev" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="report-rev" ############################################################ # New errors. # --------------------------------------------------------- [UNINSPECTED] X [BUG] X [FALSE] X [UNKNOWN] X [BROKE] X [SKIP] /home/tedu/sys/dev/twe/twe_freebsd.c|747|twed_dump|ERROR|REVERSE_NULL| 746|747| dereference of twed_sc preceeds check! int error; struct disk *dp; dp = arg; twed_sc = (struct twed_softc *)dp->d_drv1; Start ---> twe_sc = (struct twe_softc *)twed_sc->twed_controller; Error ---> if (!twed_sc || !twe_sc) return(ENXIO); if (length > 0) { if ((error = twe_dump_blocks(twe_sc, twed_sc->twed_drive->td_twe_unit, offset / TWE_BLOCK_SIZE, virtual, length / TWE_BLOCK_SIZE)) != 0) return(error); --------------------------------------------------------- [UNINSPECTED] X [BUG] X [FALSE] X [UNKNOWN] X [BROKE] X [SKIP] /home/tedu/sys/netgraph/atm/uni/ng_uni.c|590|uni_uni_output|ERROR|REVERSE_NULL| 589|590| dereference of msg preceeds check! [START_RELAX0=filename|/home/tedu/sys/netgraph/atm/ngatmbase.c,fn|uni_msg_pack_mbuf,line1|152,line2|-1,argno|0] return; } arg.sig = sig; arg.cookie = cookie; Start ---> m = uni_msg_pack_mbuf(msg, &arg, sizeof(arg)); Error ---> if (msg != NULL) uni_msg_destroy(msg); if (m == NULL) return; NG_SEND_DATA_ONLY(error, priv->upper, m); --------------------------------------------------------- [UNINSPECTED] X [BUG] X [FALSE] X [UNKNOWN] X [BROKE] X [SKIP] /home/tedu/sys/cam/scsi/scsi_da.c|461|daopen|ERROR|REVERSE_NULL| 460|461| dereference of periph preceeds check! int error; int s; s = splsoftcam(); periph = (struct cam_periph *)dp->d_drv1; Start ---> unit = periph->unit_number; Error ---> if (periph == NULL) { splx(s); return (ENXIO); } softc = (struct da_softc *)periph->softc; --------------------------------------------------------- [UNINSPECTED] X [BUG] X [FALSE] X [UNKNOWN] X [BROKE] X [SKIP] /home/tedu/sys/dev/trm/trm.c|1341|trm_Interrupt|ERROR|REVERSE_NULL| 1340|1341| dereference of pDCB preceeds check! return; } if (scsi_intstatus & (INT_BUSSERVICE | INT_CMDDONE)) { pDCB = pACB->pActiveDCB; Start ---> pSRB = pDCB->pActiveSRB; Error ---> if (pDCB) { if (pDCB->DCBFlag & ABORT_DEV_) trm_EnableMsgOutAbort1(pACB, pSRB); } phase = (u_int16_t) pSRB->ScsiPhase; /* phase: */ stateV = (void *) trm_SCSI_phase0[phase]; --------------------------------------------------------- [UNINSPECTED] X [BUG] X [FALSE] X [UNKNOWN] X [BROKE] X [SKIP] /home/tedu/sys/dev/amr/amr_disk.c|161|amrd_dump|ERROR|REVERSE_NULL| 160|161| dereference of amrd_sc preceeds check! int error; struct disk *dp; dp = arg; amrd_sc = (struct amrd_softc *)dp->d_drv1; Start ---> amr_sc = (struct amr_softc *)amrd_sc->amrd_controller; Error ---> if (!amrd_sc || !amr_sc) return(ENXIO); if (length > 0) { int driveno = amrd_sc->amrd_drive - amr_sc->amr_drive; if ((error = amr_dump_blocks(amr_sc,driveno,offset / AMR_BLKSIZE ,(void *)virtual,(int) length / AMR_BLKSIZE )) != 0) --------------------------------------------------------- [UNINSPECTED] X [BUG] X [FALSE] X [UNKNOWN] X [BROKE] X [SKIP] /home/tedu/sys/kern/uipc_usrreq.c|1097|unp_init|ERROR|REVERSE_NULL| 1096|1097| dereference of unp_zone preceeds check! [START_RELAX0=filename|/home/tedu/sys/vm/uma_core.c,fn|uma_zone_set_max,line1|1913,line2|-1,argno|0] void unp_init(void) { unp_zone = uma_zcreate("unpcb", sizeof(struct unpcb), NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE); Start ---> uma_zone_set_max(unp_zone, nmbclusters); Error ---> if (unp_zone == 0) panic("unp_init"); LIST_INIT(&unp_dhead); LIST_INIT(&unp_shead); } --------------------------------------------------------- [UNINSPECTED] X [BUG] X [FALSE] X [UNKNOWN] X [BROKE] X [SKIP] /home/tedu/sys/netgraph/ng_gif.c|270|ng_gif_detach|ERROR|REVERSE_NULL| 268|270| dereference of node preceeds check! [START_RELAX0=filename|/home/tedu/sys/i386/compile/GENERIC/modules/home/tedu/sys/modules/netgraph/gif/@/netgraph/netgraph.h,fn|_ng_node_private,line1|472,line2|-1,argno|0] */ static void ng_gif_detach(struct ifnet *ifp) { const node_p node = IFP2NG(ifp); Start ---> const priv_p priv = NG_NODE_PRIVATE(node); Error ---> if (node == NULL) /* no node (why not?), ignore */ return; NG_NODE_REALLY_DIE(node); /* Force real removal of node */ /* * We can't assume the ifnet is still around when we run shutdown * So zap it now. XXX We HOPE that anything running at this time --------------------------------------------------------- [UNINSPECTED] X [BUG] X [FALSE] X [UNKNOWN] X [BROKE] X [SKIP] /home/tedu/sys/dev/raidframe/rf_paritylog.c|695|rf_ParityLogAppend|ERROR|REVERSE_NULL| 693|695| dereference of logData preceeds check! * Later, as conditions which required the block are removed, the work * reenters this routine with the "finish" parameter set to "RF_TRUE." * * NON-BLOCKING */ Start ---> raidPtr = logData->common->raidPtr; /* lock the region for the first item in logData */ Error ---> RF_ASSERT(logData != NULL); regionID = logData->regionID; RF_LOCK_MUTEX(raidPtr->regionInfo[regionID].mutex); RF_ASSERT(raidPtr->regionInfo[regionID].loggingEnabled); if (clearReintFlag) { --------------------------------------------------------- [UNINSPECTED] X [BUG] X [FALSE] X [UNKNOWN] X [BROKE] X [SKIP] /home/tedu/sys/dev/firewire/firewire.c|955|fw_xfer_alloc_buf|ERROR|REVERSE_NULL| 953|955| dereference of xfer preceeds check! fw_xfer_alloc_buf(struct malloc_type *type, int send_len, int recv_len) { struct fw_xfer *xfer; xfer = fw_xfer_alloc(type); Start ---> xfer->send.pay_len = send_len; xfer->recv.pay_len = recv_len; Error ---> if (xfer == NULL) return(NULL); if (send_len > 0) { xfer->send.payload = malloc(send_len, type, M_NOWAIT | M_ZERO); if (xfer->send.payload == NULL) { fw_xfer_free(xfer); ------=_20040219174554_21685--