Date: Mon, 8 Sep 2003 15:26:42 -0400 (EDT) From: Jeff Fellin <jkf@research.bell-labs.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/56605: da driver can reference a NULL pointer Message-ID: <200309081926.h88JQgjs45426475@nslocum.cs.bell-labs.com> Resent-Message-ID: <200309081930.h88JUHaC009444@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 56605
>Category: kern
>Synopsis: da driver can reference a NULL pointer
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Sep 08 12:30:17 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: Jeff Fellin
>Release: FreeBSD current i386
>Organization:
Bell Labs
>Environment:
System: FreeBSD nstg6.cs.bell-labs.com 4.4-STABLE FreeBSD 4.4-STABLE #0: Tue Oct
22 10:15:48 EDT 2002 jkf@nstg6.research.bell-labs.com:/bsd.stable/src/sys/compi
le/DEV.UP i386
>Description:
the routine daopen() in sys/cam/scsi can reference a NULL pointer.
Lines 457-463:
s = splsoftcam();
periph = (struct cam_periph *)dp->d_drv1;
unit = periph->unit_number; /* POSSIBLE NULL REFERENCE */
if (periph == NULL) {
splx(s);
return (ENXIO);
}
>How-To-Repeat:
Code inspection, no test.
>Fix:
Move line 459 to be after line 463 as follows
Lines 457-463:
s = splsoftcam();
periph = (struct cam_periph *)dp->d_drv1;
if (periph == NULL) {
splx(s);
return (ENXIO);
}
unit = periph->unit_number;
~
>Release-Note:
>Audit-Trail:
>Unformatted:
I sent the following report via send-pr, but I don't think it left the
free BSD machine I ran the command on.
Jeff Fellin
Room 2C-423
Bell-Labs, Murray Hill
(908) 582-7673
fellin@lucent.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200309081926.h88JQgjs45426475>