From: Patrick McHardy <kaber@trash.net>
To: Ken Ashcraft <kash@stanford.edu>
Cc: linux-kernel@vger.kernel.org, mc@cs.stanford.edu,
Netfilter Development Mailinglist
<netfilter-devel@lists.netfilter.org>
Subject: Re: [CHECKER] 33 missing null checks
Date: Sun, 28 Mar 2004 11:47:45 +0200 [thread overview]
Message-ID: <40669F41.3060100@trash.net> (raw)
In-Reply-To: <5.2.1.1.2.20040327225419.01930cc8@kash.pobox.stanford.edu>
Ken Ashcraft wrote:
> I'm from the Stanford Metacompilation research group where we use static
> analysis to find bugs. I'm trying a new technique, so I would
> appreciate feedback on these error reports.
>
> I found these errors by comparing implementations of the same
> interface. If functions are assigned to the same function pointer (same
> field of some struct), I assume that the functions are called from the
> same context. Therefore, they should treat their incoming parameters
> similarly. In this case, before dereferencing pointers, the functions
> should either check the pointers for null or not check the pointers for
> null. Any contradiction is an error.
This one is invalid. The iptables targets and matches check if they are
called from a valid hook. MASQUERADE for example can only be used in
the POST_ROUTING hook, and out should always be != NULL there.
Regards
Patrick
> There are 33 reports below. Each report contains first a reference to
> an EXAMPLE or a place where the parameter is checked. That reference is
> followed by a COUNTER(example) or a place where the parameter is not
> checked. After that is a code snippet from the counter example. The
> type of the function pointer (struct foo.bar) can be found in the
> COUNTER field: [COUNTER=struct foo.bar-param_num].
>
> Unfortunately, many of these errors had only one EXAMPLE and one
> COUNTER. It may be that some of the null checks are spurious. You can
> see the number of EXAMPLEs for a report in the [ex=i] field of the
> COUNTER line.
>
> Thanks for any feedback,
> Ken Ashcraft
>
> ---------------------------------------------------------
> [BUG]
> /home/kash/interface/linux-2.6.3/net/ipv4/netfilter/ipt_MASQUERADE.c:128:masquerade_target:
> ERROR:DEREF: Not checking arg out [COUNTER=struct ipt_target.target-2]
> [fit=3] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=2] [counter=1] [z =
> -2.25170500701057] [fn-z = -4.35889894354067]
> newsrc = rt->rt_src;
> DEBUGP("newsrc = %u.%u.%u.%u\n", NIPQUAD(newsrc));
> ip_rt_put(rt);
>
> WRITE_LOCK(&masq_lock);
>
> Error --->
> ct->nat.masq_index = out->ifindex;
> WRITE_UNLOCK(&masq_lock);
>
> /* Transfer from original range. */
> ---------------------------------------------------------
prev parent reply other threads:[~2004-03-28 9:46 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-03-28 7:02 [CHECKER] 33 missing null checks Ken Ashcraft
2004-03-28 9:47 ` Patrick McHardy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40669F41.3060100@trash.net \
--to=kaber@trash.net \
--cc=kash@stanford.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=mc@cs.stanford.edu \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox