Re: [CHECKER] 54 missing null pointer checks in 2.4.17

From: Brad Hards (bhards@bigpond.net.au)
Date: Mon Jun 10 2002 - 02:03:13 EST


On Mon, 10 Jun 2002 13:55, Dawson Engler wrote:
Thanks for these. Patch for 2.4.19-pre10 to fix catc and se401 bugs currently
compile testing :)

But I think that you have a problem identifying the errors in these cases.

> [BUG]
> /u2/engler/mc/oses/linux/2.4.17/drivers/usb/se401.c:1430:se401_init:
> ERROR:NULL:1427:1430:Using ptr "(*se401).width" illegally! set by
> 'kmalloc_Rsmp_93d4cfe6':1427 [COUNTER=kmalloc_Rsmp_93d4cfe6:1427] [fit=46]
> [fit_fn=4] [fn_ex=0] [fn_counter=3] [ex=59] [counter=9] [z =
> -3.11592335081808] [fn-z = -7.54983443527075] return 1;
> }
> sprintf (temp, "ExtraFeatures: %d", cp[3]);
>
> se401->sizes=cp[4]+cp[5]*256;
> Start --->
> se401->width=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> se401->height=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> for (i=0; i<se401->sizes; i++) {
> Error --->
> se401->width[i]=cp[6+i*4+0]+cp[6+i*4+1]*256;
> se401->height[i]=cp[6+i*4+2]+cp[6+i*4+3]*256;
> }
> sprintf (temp, "%s Sizes:", temp);
> ---------------------------------------------------------
bradh: this one is right.

> [BUG]
> /u2/engler/mc/oses/linux/2.4.17/drivers/usb/se401.c:1435:se401_init:
> ERROR:NULL:1427:1435:Using ptr "(*se401).width" illegally! set by
> 'kmalloc_Rsmp_93d4cfe6':1427 [COUNTER=kmalloc_Rsmp_93d4cfe6:1427] [fit=46]
> [fit_fn=4] [fn_ex=0] [fn_counter=3] [ex=59] [counter=9] [z =
> -3.11592335081808] [fn-z = -7.54983443527075] return 1;
> }
> sprintf (temp, "ExtraFeatures: %d", cp[3]);
>
> se401->sizes=cp[4]+cp[5]*256;
> Start --->
> se401->width=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> se401->height=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> for (i=0; i<se401->sizes; i++) {
> se401->width[i]=cp[6+i*4+0]+cp[6+i*4+1]*256;
> se401->height[i]=cp[6+i*4+2]+cp[6+i*4+3]*256;
> }
> sprintf (temp, "%s Sizes:", temp);
> for (i=0; i<se401->sizes; i++) {
> Error --->
> sprintf(temp, "%s %dx%d", temp, se401->width[i], se401->height[i]);
> }
> info("%s", temp);
> se401->maxframesize=se401->width[se401->sizes-1]*se401->height[se401->size
>s-1]*3; ---------------------------------------------------------
bradh: this one is wrong. If it didn't oops on the previous one, it won't oops
here :)

> [BUG]
> /u2/engler/mc/oses/linux/2.4.17/drivers/usb/se401.c:1438:se401_init:
> ERROR:NULL:1427:1438:Using ptr "(*se401).width" illegally! set by
> 'kmalloc_Rsmp_93d4cfe6':1427 [COUNTER=kmalloc_Rsmp_93d4cfe6:1427] [fit=46]
> [fit_fn=4] [fn_ex=0] [fn_counter=3] [ex=59] [counter=9] [z =
> -3.11592335081808] [fn-z = -7.54983443527075] return 1;
> }
> sprintf (temp, "ExtraFeatures: %d", cp[3]);
>
> se401->sizes=cp[4]+cp[5]*256;
> Start --->
> se401->width=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> se401->height=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> for (i=0; i<se401->sizes; i++) {
> se401->width[i]=cp[6+i*4+0]+cp[6+i*4+1]*256;
> se401->height[i]=cp[6+i*4+2]+cp[6+i*4+3]*256;
> }
> sprintf (temp, "%s Sizes:", temp);
> for (i=0; i<se401->sizes; i++) {
> sprintf(temp, "%s %dx%d", temp, se401->width[i], se401->height[i]);
> }
> info("%s", temp);
> Error --->
> se401->maxframesize=se401->width[se401->sizes-1]*se401->height[se401->size
>s-1]*3;
>
> rc=se401_sndctrl(0, se401, SE401_REQ_GET_WIDTH, 0, cp, sizeof(cp));
> se401->cwidth=cp[0]+cp[1]*256;
> ---------------------------------------------------------
bradh: this can't be the error, see above.

> [BUG]
> /u2/engler/mc/oses/linux/2.4.17/drivers/usb/se401.c:1431:se401_init:
> ERROR:NULL:1428:1431:Using ptr "(*se401).height" illegally! set by
> 'kmalloc_Rsmp_93d4cfe6':1428 [COUNTER=kmalloc_Rsmp_93d4cfe6:1428] [fit=46]
> [fit_fn=5] [fn_ex=0] [fn_counter=3] [ex=59] [counter=9] [z =
> -3.11592335081808] [fn-z = -7.54983443527075] }
> sprintf (temp, "ExtraFeatures: %d", cp[3]);
>
> se401->sizes=cp[4]+cp[5]*256;
> se401->width=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> Start --->
> se401->height=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> for (i=0; i<se401->sizes; i++) {
> se401->width[i]=cp[6+i*4+0]+cp[6+i*4+1]*256;
> Error --->
> se401->height[i]=cp[6+i*4+2]+cp[6+i*4+3]*256;
> }
> sprintf (temp, "%s Sizes:", temp);
> for (i=0; i<se401->sizes; i++) {
> ---------------------------------------------------------
This is the true bug.

> [BUG]
> /u2/engler/mc/oses/linux/2.4.17/drivers/usb/se401.c:1435:se401_init:
> ERROR:NULL:1428:1435:Using ptr "(*se401).height" illegally! set by
> 'kmalloc_Rsmp_93d4cfe6':1428 [COUNTER=kmalloc_Rsmp_93d4cfe6:1428] [fit=46]
> [fit_fn=5] [fn_ex=0] [fn_counter=3] [ex=59] [counter=9] [z =
> -3.11592335081808] [fn-z = -7.54983443527075] }
> sprintf (temp, "ExtraFeatures: %d", cp[3]);
>
> se401->sizes=cp[4]+cp[5]*256;
> se401->width=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> Start --->
> se401->height=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> for (i=0; i<se401->sizes; i++) {
> se401->width[i]=cp[6+i*4+0]+cp[6+i*4+1]*256;
> se401->height[i]=cp[6+i*4+2]+cp[6+i*4+3]*256;
> }
> sprintf (temp, "%s Sizes:", temp);
> for (i=0; i<se401->sizes; i++) {
> Error --->
> sprintf(temp, "%s %dx%d", temp, se401->width[i], se401->height[i]);
> }
> info("%s", temp);
> se401->maxframesize=se401->width[se401->sizes-1]*se401->height[se401->size
>s-1]*3; ---------------------------------------------------------
This can't be.

> [BUG]
> /u2/engler/mc/oses/linux/2.4.17/drivers/usb/se401.c:1438:se401_init:
> ERROR:NULL:1428:1438:Using ptr "(*se401).height" illegally! set by
> 'kmalloc_Rsmp_93d4cfe6':1428 [COUNTER=kmalloc_Rsmp_93d4cfe6:1428] [fit=46]
> [fit_fn=5] [fn_ex=0] [fn_counter=3] [ex=59] [counter=9] [z =
> -3.11592335081808] [fn-z = -7.54983443527075] }
> sprintf (temp, "ExtraFeatures: %d", cp[3]);
>
> se401->sizes=cp[4]+cp[5]*256;
> se401->width=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> Start --->
> se401->height=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> for (i=0; i<se401->sizes; i++) {
> se401->width[i]=cp[6+i*4+0]+cp[6+i*4+1]*256;
> se401->height[i]=cp[6+i*4+2]+cp[6+i*4+3]*256;
> }
> sprintf (temp, "%s Sizes:", temp);
> for (i=0; i<se401->sizes; i++) {
> sprintf(temp, "%s %dx%d", temp, se401->width[i], se401->height[i]);
> }
> info("%s", temp);
> Error --->
> se401->maxframesize=se401->width[se401->sizes-1]*se401->height[se401->size
>s-1]*3;
>
> rc=se401_sndctrl(0, se401, SE401_REQ_GET_WIDTH, 0, cp, sizeof(cp));
> se401->cwidth=cp[0]+cp[1]*256;
> ---------------------------------------------------------
This can't be.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Sat Jun 15 2002 - 22:00:16 EST