Potential null pointer dereference in serial driver (2.4) and amigaserial driver (2.6)
From: Julien TINNES
Date: Tue May 24 2005 - 11:03:24 EST
This is an example of a pointer which is dereferenced (two times),
before beeing null checked.
Patches are attached.
Signed-off-by: Julien TINNES <julien@xxxxxxx>
--- linux-2.4.30.orig/drivers/char/serial.c 2005-01-19 15:09:50.000000000 +0100
+++ linux-2.4.30/drivers/char/serial.c 2005-05-24 17:23:26.000000000 +0200
@@ -1827,13 +1827,18 @@
static void rs_put_char(struct tty_struct *tty, unsigned char ch)
{
- struct async_struct *info = (struct async_struct *)tty->driver_data;
+ struct async_struct *info;
unsigned long flags;
+ if (!tty)
+ return;
+
+ info = (struct async_struct *)tty->driver_data;
+
if (serial_paranoia_check(info, tty->device, "rs_put_char"))
return;
- if (!tty || !info->xmit.buf)
+ if (!info->xmit.buf)
return;
save_flags(flags); cli();
@@ -1873,13 +1878,18 @@
const unsigned char *buf, int count)
{
int c, ret = 0;
- struct async_struct *info = (struct async_struct *)tty->driver_data;
+ struct async_struct *info;
unsigned long flags;
+ if (!tty)
+ return 0;
+
+ info = (struct async_struct *)tty->driver_data;
+
if (serial_paranoia_check(info, tty->device, "rs_write"))
return 0;
- if (!tty || !info->xmit.buf || !tmp_buf)
+ if (!info->xmit.buf || !tmp_buf)
return 0;
save_flags(flags);
--- linux-2.6.11.orig/drivers/char/amiserial.c 2005-05-17 10:55:03.000000000 +0200
+++ linux-2.6.11/drivers/char/amiserial.c 2005-05-24 17:10:16.000000000 +0200
@@ -861,13 +861,18 @@
static void rs_put_char(struct tty_struct *tty, unsigned char ch)
{
- struct async_struct *info = (struct async_struct *)tty->driver_data;
+ struct async_struct *info;
unsigned long flags;
+ if(!tty)
+ return;
+
+ info = (struct async_struct *)tty->driver_data;
+
if (serial_paranoia_check(info, tty->name, "rs_put_char"))
return;
- if (!tty || !info->xmit.buf)
+ if (!info->xmit.buf)
return;
local_irq_save(flags);
@@ -910,13 +915,18 @@
static int rs_write(struct tty_struct * tty, const unsigned char *buf, int count)
{
int c, ret = 0;
- struct async_struct *info = (struct async_struct *)tty->driver_data;
+ struct async_struct *info;
unsigned long flags;
+ if(!tty)
+ return 0;
+
+ info = (struct async_struct *)tty->driver_data;
+
if (serial_paranoia_check(info, tty->name, "rs_write"))
return 0;
- if (!tty || !info->xmit.buf || !tmp_buf)
+ if (!info->xmit.buf || !tmp_buf)
return 0;
local_save_flags(flags);