Re: [PATCH] sb1000: prevent a potential NULL pointer dereference insb1000_dev_ioctl()
From: Satyam Sharma
Date: Sun Jul 29 2007 - 01:52:48 EST
On Sun, 29 Jul 2007, Domen Puncer wrote:
> On 29/07/07 00:02 +0200, Jesper Juhl wrote:
> > Hi,
> >
> > Here's a small patch, prompted by a find by the Coverity checker,
> > that removes a potential NULL pointer dereference from
> > drivers/net/sb1000.c::sb1000_dev_ioctl().
> > The checker spotted that we do a NULL test of 'dev', yet we
> > dereference the pointer prior to that check.
> > This patch simply moves the dereference after the NULL test.
>
> But... it can't be called without a valid 'dev', no?
> A quick 'grep do_ioctl net/' confirms that all calls are in
> the form of 'dev->do_ioctl(dev, ...'.
Yup, I think so too ...
> > @@ -991,11 +991,13 @@ static int sb1000_dev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
> > short PID[4];
> > int ioaddr[2], status, frequency;
> > unsigned int stats[5];
> > - struct sb1000_private *lp = netdev_priv(dev);
> > + struct sb1000_private *lp;
> >
> > if (!(dev && dev->flags & IFF_UP))
> > return -ENODEV;
I think we could get rid of the !dev check itself. Actually, the IFF_UP
check /also/ looks suspect to me for two reasons: (1) I remember Stephen
Hemminger once telling me dev->flags is legacy and unsafe, and one of
the netif_xxx() functions be used instead, and, (2) I wonder if we really
require the interface to be up and *running* when we do this ioctl.
Satyam
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/