Bug 13854 - found possible null pointer dereference in file ray_cs.c
Summary: found possible null pointer dereference in file ray_cs.c
Status: RESOLVED CODE_FIX
Alias: None
Product: Drivers
Classification: Unclassified
Component: network-wireless (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: John W. Linville
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-27 14:01 UTC by Martin Ettl
Modified: 2010-03-01 19:13 UTC (History)
2 users (show)

See Also:
Kernel Version: 2.6.30
Subsystem:
Regression: No
Bisected commit-id:

Attachments
0001-ray_cs-avoid-potential-null-dereference-in-ray_get_.patch (1.22 KB, patch)
2009-07-27 14:37 UTC, John W. Linville 		Details | Diff
0001-ray_cs-remove-bocus-NULL-check-at-head-of-ray_get_w.patch (1.01 KB, patch)
2009-07-27 15:01 UTC, John W. Linville 		Details | Diff
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Description Martin Ettl 2009-07-27 14:01:36 UTC 
Hello,

during checking the linux kernel with the static code analysis tool cppcheck, i found a possible null pointer dereference in file linux-2.6.30/drivers/net/wireless/ray_cs.c at line 1511 and 1512.

Take a look at the sourcecode:

static iw_stats *ray_get_wireless_stats(struct net_device *dev)
{
	ray_dev_t *local = netdev_priv(dev);
1511	struct pcmcia_device *link = local->finder;
1512	struct status __iomem *p = local->sram + STATUS_BASE;

1514    if (local == (ray_dev_t *) NULL)
		return (iw_stats *) NULL;

....

As you can see the pointer local is first used and then it is checked of validity. See the if statement at line 1514.
A possible solution might be:

static iw_stats *ray_get_wireless_stats(struct net_device *dev)
{
	ray_dev_t *local = netdev_priv(dev);
        if (local == (ray_dev_t *) NULL)
		return (iw_stats *) NULL;
	struct pcmcia_device *link = local->finder;
        struct status __iomem *p = local->sram + STATUS_BASE;

...

Best regards

Ettl Martin
Comment 1 Johannes Berg 2009-07-27 14:36:27 UTC 
Give it some thought, man. How can

static inline void *netdev_priv(const struct net_device *dev)
{
        return (char *)dev + ALIGN(sizeof(struct net_device), NETDEV_ALIGN);
}

ever return NULL?
Comment 2 Johannes Berg 2009-07-27 14:37:02 UTC 
(I guess I meant to say: don't run static checkers if you're not willing to understand the result)
Comment 3 John W. Linville 2009-07-27 14:37:51 UTC 
Created attachment 22510 [details]
0001-ray_cs-avoid-potential-null-dereference-in-ray_get_.patch
Comment 4 John W. Linville 2009-07-27 14:39:59 UTC 
Ha!  Good point, Johannes...
Comment 5 Martin Ettl 2009-07-27 14:44:51 UTC 
(In reply to comment #2)
> (I guess I meant to say: don't run static checkers if you're not willing to
> understand the result)

:-)
Comment 6 John W. Linville 2009-07-27 15:01:17 UTC 
Created attachment 22511 [details]
0001-ray_cs-remove-bocus-NULL-check-at-head-of-ray_get_w.patch
Comment 7 Johannes Berg 2009-07-27 15:11:46 UTC 
(In reply to comment #5)
> (In reply to comment #2)
> > (I guess I meant to say: don't run static checkers if you're not willing to
> > understand the result)
> 
> :-)

That should read "Sorry, I'm ashamed to not have looked into it properly and to have wasted your time on a driver for hardware that nobody owns any more".
Comment 8 John W. Linville 2010-03-01 19:13:18 UTC 
commit 11866efa9b5d6f321a2625b7f6837ba55c4c2e4b
Author: John W. Linville <linville@tuxdriver.com>
Date:   Mon Jul 27 10:56:41 2009 -0400

    ray_cs: remove bogus NULL check at head of ray_get_wireless_stats
    
    Reported-by: Johannes Berg <johannes@sipsolutions.net>
    Cc: Martin Ettl <ettl.martin@gmx.de>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
Note You need to log in before you can comment on or make changes to this bug.