From: Patrick McHardy <kaber@trash.net>
To: Ken Ashcraft <kash@stanford.edu>
Cc: linux-kernel@vger.kernel.org, mc@cs.stanford.edu,
Netfilter Development Mailinglist
<netfilter-devel@lists.netfilter.org>
Subject: Re: [CHECKER] 33 missing null checks
Date: Sun, 28 Mar 2004 11:47:45 +0200 [thread overview]
Message-ID: <40669F41.3060100@trash.net> (raw)
In-Reply-To: <5.2.1.1.2.20040327225419.01930cc8@kash.pobox.stanford.edu>
Ken Ashcraft wrote:
> I'm from the Stanford Metacompilation research group where we use static
> analysis to find bugs. I'm trying a new technique, so I would
> appreciate feedback on these error reports.
>
> I found these errors by comparing implementations of the same
> interface. If functions are assigned to the same function pointer (same
> field of some struct), I assume that the functions are called from the
> same context. Therefore, they should treat their incoming parameters
> similarly. In this case, before dereferencing pointers, the functions
> should either check the pointers for null or not check the pointers for
> null. Any contradiction is an error.
This one is invalid. The iptables targets and matches check if they are
called from a valid hook. MASQUERADE for example can only be used in
the POST_ROUTING hook, and out should always be != NULL there.
Regards
Patrick
> There are 33 reports below. Each report contains first a reference to
> an EXAMPLE or a place where the parameter is checked. That reference is
> followed by a COUNTER(example) or a place where the parameter is not
> checked. After that is a code snippet from the counter example. The
> type of the function pointer (struct foo.bar) can be found in the
> COUNTER field: [COUNTER=struct foo.bar-param_num].
>
> Unfortunately, many of these errors had only one EXAMPLE and one
> COUNTER. It may be that some of the null checks are spurious. You can
> see the number of EXAMPLEs for a report in the [ex=i] field of the
> COUNTER line.
>
> Thanks for any feedback,
> Ken Ashcraft
>
> ---------------------------------------------------------
> [BUG]
> /home/kash/interface/linux-2.6.3/net/ipv4/netfilter/ipt_MASQUERADE.c:128:masquerade_target:
> ERROR:DEREF: Not checking arg out [COUNTER=struct ipt_target.target-2]
> [fit=3] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=2] [counter=1] [z =
> -2.25170500701057] [fn-z = -4.35889894354067]
> newsrc = rt->rt_src;
> DEBUGP("newsrc = %u.%u.%u.%u\n", NIPQUAD(newsrc));
> ip_rt_put(rt);
>
> WRITE_LOCK(&masq_lock);
>
> Error --->
> ct->nat.masq_index = out->ifindex;
> WRITE_UNLOCK(&masq_lock);
>
> /* Transfer from original range. */
> ---------------------------------------------------------
prev parent reply other threads:[~2004-03-28 9:47 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-03-28 7:02 [CHECKER] 33 missing null checks Ken Ashcraft
2004-03-28 9:47 ` Patrick McHardy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40669F41.3060100@trash.net \
--to=kaber@trash.net \
--cc=kash@stanford.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=mc@cs.stanford.edu \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.