Bug 217747

Summary:

sys/dev/mly/mly.c: PVS-Studio: NULL Pointer Dereference (CWE-476) (1)

Product:

Base System

Reporter:

Svyatoslav <razmyslov>

Component:

kern

Assignee:

John Baldwin <jhb>

Status:

Closed FIXED

Severity:

Affects Many People

CC:

emaste, jhb

Priority:

---

Keywords:

patch

Version:

CURRENT

Flags:

jhb: mfc-stable11+
jhb: mfc-stable10+

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
git patch	none
mly.patch	none

Description Svyatoslav 2017-03-13 12:09:14 UTC

Created attachment 180770 [details]
git patch

We have found and fixed a vulnerability using PVS-Studio tool. PVS-Studio is a static code analyzer for C, C++ and C#: https://www.viva64.com/en/pvs-studio/

Analyzer warning: V595 The 'mc' pointer was utilized before it was verified against nullptr. Check lines: 2954, 2955. mly.c 2954

Comment 1 John Baldwin freebsd_committer

2017-08-08 15:56:02 UTC

Created attachment 185158 [details]
mly.patch

I would probably either move the check of mc_data into the 'if (mc != NULL)' block, or do the approach above where we just return immediately if we fail to get a command and then 'mc' is never NULL when 'out' is jumped to.

Comment 2 Ed Maste freebsd_committer

2017-08-08 16:57:57 UTC

Your patch looks good to me. Will you commit it?

Comment 3 commit-hook freebsd_committer

2017-08-08 17:50:48 UTC

A commit references this bug:

Author: jhb
Date: Tue Aug  8 17:49:58 UTC 2017
New revision: 322270
URL: https://svnweb.freebsd.org/changeset/base/322270

Log:
  Fix a NULL pointer dereference in mly_user_command().

  If mly_user_command fails to allocate a command slot it jumps to an 'out'
  label used for error handling.  The error handling code checks for a data
  buffer in 'mc->mc_data' to free before checking if 'mc' is NULL.  Fix by
  just returning directly if we fail to allocate a command and only using
  the 'out' label for subsequent errors when there is actual cleanup to
  perform.

  PR:		217747
  Reported by:	PVS-Studio
  Reviewed by:	emaste
  MFC after:	1 week

Changes:
  head/sys/dev/mly/mly.c

Comment 4 commit-hook freebsd_committer

2017-09-20 20:49:16 UTC

A commit references this bug:

Author: jhb
Date: Wed Sep 20 20:48:22 UTC 2017
New revision: 323826
URL: https://svnweb.freebsd.org/changeset/base/323826

Log:
  MFC 322270: Fix a NULL pointer dereference in mly_user_command().

  If mly_user_command fails to allocate a command slot it jumps to an 'out'
  label used for error handling.  The error handling code checks for a data
  buffer in 'mc->mc_data' to free before checking if 'mc' is NULL.  Fix by
  just returning directly if we fail to allocate a command and only using
  the 'out' label for subsequent errors when there is actual cleanup to
  perform.

  PR:		217747
  Reported by:	PVS-Studio

Changes:
_U  stable/10/
  stable/10/sys/dev/mly/mly.c
_U  stable/11/
  stable/11/sys/dev/mly/mly.c