Re: [PATCH] fix dangerous pointer derefs and remove pointless casts in MOXA driver

On Sun, May 14, 2006 at 03:49:35AM +0200, Jesper Juhl wrote:
> If mxser_write() gets called with a NULL 'tty' pointer, then the initial
> assignment of tty->driver_data to info will explode.

->write() is called via

	tty->driver->write(tty, ...);

See? tty was already dereferenced.

> 'tty' is tested for NULL at the beginning of the function, but at that
> point it is too late.
> Fix the problem by only dereferencing tty after it has been tested.
>
> In mxser_put_char() there's the same problem with the same fix.
>
> This should fix coverity bugs #770 && #771 .

> --- linux-2.6.17-rc4-git2-orig/drivers/char/mxser.c
> +++ linux-2.6.17-rc4-git2/drivers/char/mxser.c
> @@ -877,7 +877,7 @@ static int mxser_init(void)
>
>  static void mxser_do_softint(void *private_)
>  {
> -	struct mxser_struct *info = (struct mxser_struct *) private_;
> +	struct mxser_struct *info = private_;

Please, don't make unrelated changes, ever.

>  	struct tty_struct *tty;
>
>  	tty = info->tty;

> @@ -1078,11 +1077,15 @@ static void mxser_close(struct tty_struc
>  static int mxser_write(struct tty_struct *tty, const unsigned char *buf, int count)
>  {
>  	int c, total = 0;
> -	struct mxser_struct *info = (struct mxser_struct *) tty->driver_data;
> +	struct mxser_struct *info;
>  	unsigned long flags;
>  
> -	if (!tty || !info->xmit_buf)
> -		return (0);
> +	if (!tty)
> +		return 0;
> +
> +	info = tty->driver_data;
> +	if (!info->xmit_buf)
> +		return 0;
>  
>  	while (1) {
>  		c = min_t(int, count, min(SERIAL_XMIT_SIZE - info->xmit_cnt - 1, SERIAL_XMIT_SIZE - info->xmit_head));
> @@ -1114,10 +1117,14 @@ static int mxser_write(struct tty_struct
>  
>  static void mxser_put_char(struct tty_struct *tty, unsigned char ch)
>  {
> -	struct mxser_struct *info = (struct mxser_struct *) tty->driver_data;
> +	struct mxser_struct *info;
>  	unsigned long flags;
>  
> -	if (!tty || !info->xmit_buf)
> +	if (!tty)
> +		return;
> +
> +	info = tty->driver_data;
> +	if (!info->xmit_buf)
>  		return;
>  
>  	if (info->xmit_cnt >= SERIAL_XMIT_SIZE - 1)

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: [PATCH] fix dangerous pointer derefs and remove pointless casts in MOXA driver
    • From: "Jesper Juhl" <[email protected]>

• References:
  • [PATCH] fix dangerous pointer derefs and remove pointless casts in MOXA driver
    • From: Jesper Juhl <[email protected]>

• Prev by Date: Re: [RFC] [PATCH 3/3] ufs: change b_blocknr
• Next by Date: Re: Total machine lockup w/ current kernels while installing from CD
• Previous by thread: [PATCH] fix dangerous pointer derefs and remove pointless casts in MOXA driver
• Next by thread: Re: [PATCH] fix dangerous pointer derefs and remove pointless casts in MOXA driver
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]