Re: [CHECKER] 33 missing null checks

From: Patrick McHardy
Date: Sun Mar 28 2004 - 04:48:03 EST

Ken Ashcraft wrote:
I'm from the Stanford Metacompilation research group where we use static analysis to find bugs. I'm trying a new technique, so I would appreciate feedback on these error reports.

I found these errors by comparing implementations of the same interface. If functions are assigned to the same function pointer (same field of some struct), I assume that the functions are called from the same context. Therefore, they should treat their incoming parameters similarly. In this case, before dereferencing pointers, the functions should either check the pointers for null or not check the pointers for null. Any contradiction is an error.

This one is invalid. The iptables targets and matches check if they are
called from a valid hook. MASQUERADE for example can only be used in
the POST_ROUTING hook, and out should always be != NULL there.


There are 33 reports below. Each report contains first a reference to an EXAMPLE or a place where the parameter is checked. That reference is followed by a COUNTER(example) or a place where the parameter is not checked. After that is a code snippet from the counter example. The type of the function pointer (struct can be found in the COUNTER field: [COUNTER=struct].

Unfortunately, many of these errors had only one EXAMPLE and one COUNTER. It may be that some of the null checks are spurious. You can see the number of EXAMPLEs for a report in the [ex=i] field of the COUNTER line.

Thanks for any feedback,
Ken Ashcraft

/home/kash/interface/linux-2.6.3/net/ipv4/netfilter/ipt_MASQUERADE.c:128:masquerade_target: ERROR:DEREF: Not checking arg out [COUNTER=struct] [fit=3] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=2] [counter=1] [z = -2.25170500701057] [fn-z = -4.35889894354067]
newsrc = rt->rt_src;
DEBUGP("newsrc = %u.%u.%u.%u\n", NIPQUAD(newsrc));


Error --->
ct->nat.masq_index = out->ifindex;

/* Transfer from original range. */
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at