Bug 9572 - Dereferencing NULL pointer on drivers/usb/serial/mos7720.c
Dereferencing NULL pointer on drivers/usb/serial/mos7720.c
Status: CLOSED CODE_FIX
Product: Drivers
Classification: Unclassified
Component: USB
All Linux
: P1 normal
Assigned To: Greg Kroah-Hartman
:
Depends on:
Blocks: USB
  Show dependency treegraph
 
Reported: 2007-12-15 06:53 UTC by Marcio Buss
Modified: 2008-09-22 10:42 UTC (History)
0 users

See Also:
Kernel Version: 2.6.23
Tree: Mainline
Regression: ---


Attachments

Description Marcio Buss 2007-12-15 06:53:47 UTC
There is a NULL pointer dereference on drivers/usb/serial/mos7720.c
The error can be tracked down as follows:

(1) line 568: there's a test "if (serial->dev)" implying that
    null is a legal value for "serial->dev" at that point

(2) line 576: "serial" is passed in as an argument to "send_mos_cmd"

(3) line 282: "send_mos_cmd" unconditionally dereferences serial->dev
    at expression "le16_to_cpu(serial->dev->descriptor.idProduct)
Comment 1 Anonymous Emailer 2007-12-15 20:23:39 UTC
Reply-To: akpm@linux-foundation.org

On Sat, 15 Dec 2007 06:53:48 -0800 (PST) bugme-daemon@bugzilla.kernel.org wrote:

> http://bugzilla.kernel.org/show_bug.cgi?id=9572
> 
>            Summary: Dereferencing NULL pointer on
>                     drivers/usb/serial/mos7720.c
>            Product: Drivers
>            Version: 2.5
>      KernelVersion: 2.6.23
>           Platform: All
>         OS/Version: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: USB
>         AssignedTo: greg@kroah.com
>         ReportedBy: marciobuss@gmail.com
> 
> 
> There is a NULL pointer dereference on drivers/usb/serial/mos7720.c
> The error can be tracked down as follows:
> 
> (1) line 568: there's a test "if (serial->dev)" implying that
>     null is a legal value for "serial->dev" at that point
> 
> (2) line 576: "serial" is passed in as an argument to "send_mos_cmd"
> 
> (3) line 282: "send_mos_cmd" unconditionally dereferences serial->dev
>     at expression "le16_to_cpu(serial->dev->descriptor.idProduct)
> 

Comment 2 Anonymous Emailer 2007-12-20 02:48:32 UTC
Reply-To: oliver@neukum.org

Am Sonntag, 16. Dezember 2007 05:23:27 schrieb Andrew Morton:
> On Sat, 15 Dec 2007 06:53:48 -0800 (PST) bugme-daemon@bugzilla.kernel.org wrote:
> 
> > http://bugzilla.kernel.org/show_bug.cgi?id=9572
> > 
> >            Summary: Dereferencing NULL pointer on
> >                     drivers/usb/serial/mos7720.c
> >            Product: Drivers
> >            Version: 2.5
> >      KernelVersion: 2.6.23
> >           Platform: All
> >         OS/Version: Linux
> >               Tree: Mainline
> >             Status: NEW
> >           Severity: normal
> >           Priority: P1
> >          Component: USB
> >         AssignedTo: greg@kroah.com
> >         ReportedBy: marciobuss@gmail.com
> > 
> > 
> > There is a NULL pointer dereference on drivers/usb/serial/mos7720.c
> > The error can be tracked down as follows:
> > 
> > (1) line 568: there's a test "if (serial->dev)" implying that
> >     null is a legal value for "serial->dev" at that point
> > 
> > (2) line 576: "serial" is passed in as an argument to "send_mos_cmd"
> > 
> > (3) line 282: "send_mos_cmd" unconditionally dereferences serial->dev
> >     at expression "le16_to_cpu(serial->dev->descriptor.idProduct)

I see no way serial->dev may become NULL. The test looks superfluous.
Did you get an oops or is this result of a checking tool?

	Regards
		Oliver

Comment 3 Alan 2008-09-22 10:42:01 UTC
Test removed upstream

Note You need to log in before you can comment on or make changes to this bug.