[Patch] NULL pointer dereference indrivers/message/i2o/i2o_config.c

From: Eric Sesterhenn
Date: Tue May 30 2006 - 17:16:12 EST

Next message: Ingo Molnar: "[combo patch] lock validator -V2"
Previous message: Ian Kester-Haney: "Re: OpenGL-based framebuffer concepts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi,

i am not sure if there is some black magic which prevents this
from happening, it is spotted by coverity id #265

499 for (p = open_files; p; p = p->next)
500 if (p->q_id == (ulong) fp->private_data)
501 break;
502
503 if (!p->q_len)
504 return -ENOENT

if we cant find a p with a p->q_id which matches fp->private data,
we dereference it.

Signed-off-by: Eric Sesterhenn <snakebyte@xxxxxx>

--- linux-2.6.17-rc4-git2/drivers/message/i2o/i2o_config.c.orig 2006-05-30 23:12:13.000000000 +0200
+++ linux-2.6.17-rc4-git2/drivers/message/i2o/i2o_config.c 2006-05-30 23:13:30.000000000 +0200
@@ -500,7 +500,7 @@ static int i2o_cfg_evt_get(unsigned long
if (p->q_id == (ulong) fp->private_data)
break;

- if (!p->q_len)
+ if (!p || !p->q_len)
return -ENOENT;

memcpy(&kget.info, &p->event_q[p->q_out], sizeof(struct i2o_evt_info));

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ingo Molnar: "[combo patch] lock validator -V2"
Previous message: Ian Kester-Haney: "Re: OpenGL-based framebuffer concepts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]