* Potential null pointer dereference in serial driver (2.4) and amiga serial driver (2.6)
@ 2005-05-24 15:46 Julien TINNES
0 siblings, 0 replies; only message in thread
From: Julien TINNES @ 2005-05-24 15:46 UTC (permalink / raw)
To: tytso; +Cc: linux-kernel
[-- Attachment #1: Type: text/plain, Size: 165 bytes --]
This is an example of a pointer which is dereferenced (two times),
before beeing null checked.
Patches are attached.
Signed-off-by: Julien TINNES <julien@cr0.org>
[-- Attachment #2: 2.4-serial.patch --]
[-- Type: text/x-patch, Size: 1114 bytes --]
--- linux-2.4.30.orig/drivers/char/serial.c 2005-01-19 15:09:50.000000000 +0100
+++ linux-2.4.30/drivers/char/serial.c 2005-05-24 17:23:26.000000000 +0200
@@ -1827,13 +1827,18 @@
static void rs_put_char(struct tty_struct *tty, unsigned char ch)
{
- struct async_struct *info = (struct async_struct *)tty->driver_data;
+ struct async_struct *info;
unsigned long flags;
+ if (!tty)
+ return;
+
+ info = (struct async_struct *)tty->driver_data;
+
if (serial_paranoia_check(info, tty->device, "rs_put_char"))
return;
- if (!tty || !info->xmit.buf)
+ if (!info->xmit.buf)
return;
save_flags(flags); cli();
@@ -1873,13 +1878,18 @@
const unsigned char *buf, int count)
{
int c, ret = 0;
- struct async_struct *info = (struct async_struct *)tty->driver_data;
+ struct async_struct *info;
unsigned long flags;
+ if (!tty)
+ return 0;
+
+ info = (struct async_struct *)tty->driver_data;
+
if (serial_paranoia_check(info, tty->device, "rs_write"))
return 0;
- if (!tty || !info->xmit.buf || !tmp_buf)
+ if (!info->xmit.buf || !tmp_buf)
return 0;
save_flags(flags);
[-- Attachment #3: 2.6-amiserial.patch --]
[-- Type: text/x-patch, Size: 1147 bytes --]
--- linux-2.6.11.orig/drivers/char/amiserial.c 2005-05-17 10:55:03.000000000 +0200
+++ linux-2.6.11/drivers/char/amiserial.c 2005-05-24 17:10:16.000000000 +0200
@@ -861,13 +861,18 @@
static void rs_put_char(struct tty_struct *tty, unsigned char ch)
{
- struct async_struct *info = (struct async_struct *)tty->driver_data;
+ struct async_struct *info;
unsigned long flags;
+ if(!tty)
+ return;
+
+ info = (struct async_struct *)tty->driver_data;
+
if (serial_paranoia_check(info, tty->name, "rs_put_char"))
return;
- if (!tty || !info->xmit.buf)
+ if (!info->xmit.buf)
return;
local_irq_save(flags);
@@ -910,13 +915,18 @@
static int rs_write(struct tty_struct * tty, const unsigned char *buf, int count)
{
int c, ret = 0;
- struct async_struct *info = (struct async_struct *)tty->driver_data;
+ struct async_struct *info;
unsigned long flags;
+ if(!tty)
+ return 0;
+
+ info = (struct async_struct *)tty->driver_data;
+
if (serial_paranoia_check(info, tty->name, "rs_write"))
return 0;
- if (!tty || !info->xmit.buf || !tmp_buf)
+ if (!info->xmit.buf || !tmp_buf)
return 0;
local_save_flags(flags);
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2005-05-24 15:59 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-05-24 15:46 Potential null pointer dereference in serial driver (2.4) and amiga serial driver (2.6) Julien TINNES
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.