Re: [PATCH] fix dangerous pointer derefs and remove pointless casts in MOXA driver

From: Alexey Dobriyan
Date: Sun May 14 2006 - 10:19:53 EST


On Sun, May 14, 2006 at 03:49:35AM +0200, Jesper Juhl wrote:
> If mxser_write() gets called with a NULL 'tty' pointer, then the initial
> assignment of tty->driver_data to info will explode.

->write() is called via

tty->driver->write(tty, ...);

See? tty was already dereferenced.

> 'tty' is tested for NULL at the beginning of the function, but at that
> point it is too late.
> Fix the problem by only dereferencing tty after it has been tested.
>
> In mxser_put_char() there's the same problem with the same fix.
>
> This should fix coverity bugs #770 && #771 .

> --- linux-2.6.17-rc4-git2-orig/drivers/char/mxser.c
> +++ linux-2.6.17-rc4-git2/drivers/char/mxser.c
> @@ -877,7 +877,7 @@ static int mxser_init(void)
>
> static void mxser_do_softint(void *private_)
> {
> - struct mxser_struct *info = (struct mxser_struct *) private_;
> + struct mxser_struct *info = private_;

Please, don't make unrelated changes, ever.

> struct tty_struct *tty;
>
> tty = info->tty;

> @@ -1078,11 +1077,15 @@ static void mxser_close(struct tty_struc
> static int mxser_write(struct tty_struct *tty, const unsigned char *buf, int count)
> {
> int c, total = 0;
> - struct mxser_struct *info = (struct mxser_struct *) tty->driver_data;
> + struct mxser_struct *info;
> unsigned long flags;
>
> - if (!tty || !info->xmit_buf)
> - return (0);
> + if (!tty)
> + return 0;
> +
> + info = tty->driver_data;
> + if (!info->xmit_buf)
> + return 0;
>
> while (1) {
> c = min_t(int, count, min(SERIAL_XMIT_SIZE - info->xmit_cnt - 1, SERIAL_XMIT_SIZE - info->xmit_head));
> @@ -1114,10 +1117,14 @@ static int mxser_write(struct tty_struct
>
> static void mxser_put_char(struct tty_struct *tty, unsigned char ch)
> {
> - struct mxser_struct *info = (struct mxser_struct *) tty->driver_data;
> + struct mxser_struct *info;
> unsigned long flags;
>
> - if (!tty || !info->xmit_buf)
> + if (!tty)
> + return;
> +
> + info = tty->driver_data;
> + if (!info->xmit_buf)
> return;
>
> if (info->xmit_cnt >= SERIAL_XMIT_SIZE - 1)

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/