From: Julien TINNES <julien-lkml@cr0.org>
To: tytso@mit.edu
Cc: linux-kernel@vger.kernel.org
Subject: Potential null pointer dereference in serial driver (2.4) and amiga serial driver (2.6)
Date: Tue, 24 May 2005 17:46:21 +0200 [thread overview]
Message-ID: <42934C4D.2040501@cr0.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 165 bytes --]
This is an example of a pointer which is dereferenced (two times),
before beeing null checked.
Patches are attached.
Signed-off-by: Julien TINNES <julien@cr0.org>
[-- Attachment #2: 2.4-serial.patch --]
[-- Type: text/x-patch, Size: 1114 bytes --]
--- linux-2.4.30.orig/drivers/char/serial.c 2005-01-19 15:09:50.000000000 +0100
+++ linux-2.4.30/drivers/char/serial.c 2005-05-24 17:23:26.000000000 +0200
@@ -1827,13 +1827,18 @@
static void rs_put_char(struct tty_struct *tty, unsigned char ch)
{
- struct async_struct *info = (struct async_struct *)tty->driver_data;
+ struct async_struct *info;
unsigned long flags;
+ if (!tty)
+ return;
+
+ info = (struct async_struct *)tty->driver_data;
+
if (serial_paranoia_check(info, tty->device, "rs_put_char"))
return;
- if (!tty || !info->xmit.buf)
+ if (!info->xmit.buf)
return;
save_flags(flags); cli();
@@ -1873,13 +1878,18 @@
const unsigned char *buf, int count)
{
int c, ret = 0;
- struct async_struct *info = (struct async_struct *)tty->driver_data;
+ struct async_struct *info;
unsigned long flags;
+ if (!tty)
+ return 0;
+
+ info = (struct async_struct *)tty->driver_data;
+
if (serial_paranoia_check(info, tty->device, "rs_write"))
return 0;
- if (!tty || !info->xmit.buf || !tmp_buf)
+ if (!info->xmit.buf || !tmp_buf)
return 0;
save_flags(flags);
[-- Attachment #3: 2.6-amiserial.patch --]
[-- Type: text/x-patch, Size: 1147 bytes --]
--- linux-2.6.11.orig/drivers/char/amiserial.c 2005-05-17 10:55:03.000000000 +0200
+++ linux-2.6.11/drivers/char/amiserial.c 2005-05-24 17:10:16.000000000 +0200
@@ -861,13 +861,18 @@
static void rs_put_char(struct tty_struct *tty, unsigned char ch)
{
- struct async_struct *info = (struct async_struct *)tty->driver_data;
+ struct async_struct *info;
unsigned long flags;
+ if(!tty)
+ return;
+
+ info = (struct async_struct *)tty->driver_data;
+
if (serial_paranoia_check(info, tty->name, "rs_put_char"))
return;
- if (!tty || !info->xmit.buf)
+ if (!info->xmit.buf)
return;
local_irq_save(flags);
@@ -910,13 +915,18 @@
static int rs_write(struct tty_struct * tty, const unsigned char *buf, int count)
{
int c, ret = 0;
- struct async_struct *info = (struct async_struct *)tty->driver_data;
+ struct async_struct *info;
unsigned long flags;
+ if(!tty)
+ return 0;
+
+ info = (struct async_struct *)tty->driver_data;
+
if (serial_paranoia_check(info, tty->name, "rs_write"))
return 0;
- if (!tty || !info->xmit.buf || !tmp_buf)
+ if (!info->xmit.buf || !tmp_buf)
return 0;
local_save_flags(flags);
reply other threads:[~2005-05-24 15:59 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42934C4D.2040501@cr0.org \
--to=julien-lkml@cr0.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox