All of lore.kernel.org
 help / color / mirror / Atom feed
* smatch stuff: dereferencing first then checking in SendReceive()
@ 2011-03-19 23:28 Dan Carpenter
  2011-03-20  3:20 ` Steve French
  0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2011-03-19 23:28 UTC (permalink / raw)
  To: linux-cifs-u79uwXL29TY76Z2rM5mHXA; +Cc: samba-technical-w/Ol4Ecudpl8XjKLYN78aQ

Smatch complains about this, but I don't know if it's a bug or not.

fs/cifs/transport.c +791 SendReceive(106)
	warn: variable dereferenced before check 'midQ->resp_buf'

   780          receive_len = be32_to_cpu(midQ->resp_buf->smb_buf_length);
                                          ^^^^^^^^^^^^^^^^
	dereference
   781
   782          if (receive_len > CIFSMaxBufSize + MAX_CIFS_HDR_SIZE) {
   783                  cERROR(1, "Frame too large received.  Length: %d  Xid: %d",
   784                          receive_len, xid);
   785                  rc = -EIO;
   786                  goto out;
   787          }
   788
   789          /* rcvd frame is ok */
   790
   791          if (midQ->resp_buf && out_buf
                    ^^^^^^^^^^^^^^
	checking for null

   792              && (midQ->midState == MID_RESPONSE_RECEIVED)) {
   793                  out_buf->smb_buf_length = cpu_to_be32(receive_len);

regards,
dan carpenter

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: smatch stuff: dereferencing first then checking in SendReceive()
  2011-03-19 23:28 smatch stuff: dereferencing first then checking in SendReceive() Dan Carpenter
@ 2011-03-20  3:20 ` Steve French
  0 siblings, 0 replies; 2+ messages in thread
From: Steve French @ 2011-03-20  3:20 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA,
	samba-technical-w/Ol4Ecudpl8XjKLYN78aQ

On Sat, Mar 19, 2011 at 6:28 PM, Dan Carpenter <error27-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> Smatch complains about this, but I don't know if it's a bug or not.
>
> fs/cifs/transport.c +791 SendReceive(106)
>        warn: variable dereferenced before check 'midQ->resp_buf'
>
>   780          receive_len = be32_to_cpu(midQ->resp_buf->smb_buf_length);
>                                          ^^^^^^^^^^^^^^^^
>        dereference
>   781
>   782          if (receive_len > CIFSMaxBufSize + MAX_CIFS_HDR_SIZE) {
>   783                  cERROR(1, "Frame too large received.  Length: %d  Xid: %d",
>   784                          receive_len, xid);
>   785                  rc = -EIO;
>   786                  goto out;
>   787          }
>   788
>   789          /* rcvd frame is ok */
>   790
>   791          if (midQ->resp_buf && out_buf
>                    ^^^^^^^^^^^^^^
>        checking for null
>
>   792              && (midQ->midState == MID_RESPONSE_RECEIVED)) {
>   793                  out_buf->smb_buf_length = cpu_to_be32(receive_len);
>
> regards,
> dan carpenter

Older kernels had the same (midQ->resp_buf == NULL)
check in the same place, and I don't see a way to get there with
midQ->resp_buf == NULL so that check on line
791 does look redundant check.

I will double check.



-- 
Thanks,

Steve

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-03-20  3:20 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-03-19 23:28 smatch stuff: dereferencing first then checking in SendReceive() Dan Carpenter
2011-03-20  3:20 ` Steve French

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.