Bug 13854

Summary: found possible null pointer dereference in file ray_cs.c
Product: Drivers Reporter: Martin Ettl (ettl.martin)
Component: network-wirelessAssignee: John W. Linville (linville)
Status: RESOLVED CODE_FIX    
Severity: normal CC: johannes, linville
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.30 Subsystem:
Regression: No Bisected commit-id:
Attachments: 0001-ray_cs-avoid-potential-null-dereference-in-ray_get_.patch
0001-ray_cs-remove-bocus-NULL-check-at-head-of-ray_get_w.patch

Description Martin Ettl 2009-07-27 14:01:36 UTC 
Hello,

during checking the linux kernel with the static code analysis tool cppcheck, i found a possible null pointer dereference in file linux-2.6.30/drivers/net/wireless/ray_cs.c at line 1511 and 1512.

Take a look at the sourcecode:

static iw_stats *ray_get_wireless_stats(struct net_device *dev)
{
	ray_dev_t *local = netdev_priv(dev);
1511	struct pcmcia_device *link = local->finder;
1512	struct status __iomem *p = local->sram + STATUS_BASE;

1514    if (local == (ray_dev_t *) NULL)
		return (iw_stats *) NULL;

....

As you can see the pointer local is first used and then it is checked of validity. See the if statement at line 1514.
A possible solution might be:

static iw_stats *ray_get_wireless_stats(struct net_device *dev)
{
	ray_dev_t *local = netdev_priv(dev);
        if (local == (ray_dev_t *) NULL)
		return (iw_stats *) NULL;
	struct pcmcia_device *link = local->finder;
        struct status __iomem *p = local->sram + STATUS_BASE;

...

Best regards

Ettl Martin
Comment 1 Johannes Berg 2009-07-27 14:36:27 UTC 
Give it some thought, man. How can

static inline void *netdev_priv(const struct net_device *dev)
{
        return (char *)dev + ALIGN(sizeof(struct net_device), NETDEV_ALIGN);
}

ever return NULL?
Comment 2 Johannes Berg 2009-07-27 14:37:02 UTC 
(I guess I meant to say: don't run static checkers if you're not willing to understand the result)
Comment 3 John W. Linville 2009-07-27 14:37:51 UTC 
Created attachment 22510 [details]
0001-ray_cs-avoid-potential-null-dereference-in-ray_get_.patch
Comment 4 John W. Linville 2009-07-27 14:39:59 UTC 
Ha!  Good point, Johannes...
Comment 5 Martin Ettl 2009-07-27 14:44:51 UTC 
(In reply to comment #2)
> (I guess I meant to say: don't run static checkers if you're not willing to
> understand the result)

:-)
Comment 6 John W. Linville 2009-07-27 15:01:17 UTC 
Created attachment 22511 [details]
0001-ray_cs-remove-bocus-NULL-check-at-head-of-ray_get_w.patch
Comment 7 Johannes Berg 2009-07-27 15:11:46 UTC 
(In reply to comment #5)
> (In reply to comment #2)
> > (I guess I meant to say: don't run static checkers if you're not willing to
> > understand the result)
> 
> :-)

That should read "Sorry, I'm ashamed to not have looked into it properly and to have wasted your time on a driver for hardware that nobody owns any more".
Comment 8 John W. Linville 2010-03-01 19:13:18 UTC 
commit 11866efa9b5d6f321a2625b7f6837ba55c4c2e4b
Author: John W. Linville <linville@tuxdriver.com>
Date:   Mon Jul 27 10:56:41 2009 -0400

    ray_cs: remove bogus NULL check at head of ray_get_wireless_stats
    
    Reported-by: Johannes Berg <johannes@sipsolutions.net>
    Cc: Martin Ettl <ettl.martin@gmx.de>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>