* Potential null pointer dereference in serial driver (2.4) and amiga serial driver (2.6)
@ 2005-05-24 15:46 Julien TINNES
0 siblings, 0 replies; only message in thread
From: Julien TINNES @ 2005-05-24 15:46 UTC (permalink / raw)
To: tytso; +Cc: linux-kernel
[-- Attachment #1: Type: text/plain, Size: 165 bytes --]
This is an example of a pointer which is dereferenced (two times),
before beeing null checked.
Patches are attached.
Signed-off-by: Julien TINNES <julien@cr0.org>
[-- Attachment #2: 2.4-serial.patch --]
[-- Type: text/x-patch, Size: 1114 bytes --]
--- linux-2.4.30.orig/drivers/char/serial.c 2005-01-19 15:09:50.000000000 +0100
+++ linux-2.4.30/drivers/char/serial.c 2005-05-24 17:23:26.000000000 +0200
@@ -1827,13 +1827,18 @@
static void rs_put_char(struct tty_struct *tty, unsigned char ch)
{
- struct async_struct *info = (struct async_struct *)tty->driver_data;
+ struct async_struct *info;
unsigned long flags;
+ if (!tty)
+ return;
+
+ info = (struct async_struct *)tty->driver_data;
+
if (serial_paranoia_check(info, tty->device, "rs_put_char"))
return;
- if (!tty || !info->xmit.buf)
+ if (!info->xmit.buf)
return;
save_flags(flags); cli();
@@ -1873,13 +1878,18 @@
const unsigned char *buf, int count)
{
int c, ret = 0;
- struct async_struct *info = (struct async_struct *)tty->driver_data;
+ struct async_struct *info;
unsigned long flags;
+ if (!tty)
+ return 0;
+
+ info = (struct async_struct *)tty->driver_data;
+
if (serial_paranoia_check(info, tty->device, "rs_write"))
return 0;
- if (!tty || !info->xmit.buf || !tmp_buf)
+ if (!info->xmit.buf || !tmp_buf)
return 0;
save_flags(flags);
[-- Attachment #3: 2.6-amiserial.patch --]
[-- Type: text/x-patch, Size: 1147 bytes --]
--- linux-2.6.11.orig/drivers/char/amiserial.c 2005-05-17 10:55:03.000000000 +0200
+++ linux-2.6.11/drivers/char/amiserial.c 2005-05-24 17:10:16.000000000 +0200
@@ -861,13 +861,18 @@
static void rs_put_char(struct tty_struct *tty, unsigned char ch)
{
- struct async_struct *info = (struct async_struct *)tty->driver_data;
+ struct async_struct *info;
unsigned long flags;
+ if(!tty)
+ return;
+
+ info = (struct async_struct *)tty->driver_data;
+
if (serial_paranoia_check(info, tty->name, "rs_put_char"))
return;
- if (!tty || !info->xmit.buf)
+ if (!info->xmit.buf)
return;
local_irq_save(flags);
@@ -910,13 +915,18 @@
static int rs_write(struct tty_struct * tty, const unsigned char *buf, int count)
{
int c, ret = 0;
- struct async_struct *info = (struct async_struct *)tty->driver_data;
+ struct async_struct *info;
unsigned long flags;
+ if(!tty)
+ return 0;
+
+ info = (struct async_struct *)tty->driver_data;
+
if (serial_paranoia_check(info, tty->name, "rs_write"))
return 0;
- if (!tty || !info->xmit.buf || !tmp_buf)
+ if (!info->xmit.buf || !tmp_buf)
return 0;
local_save_flags(flags);
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2005-05-24 15:59 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-05-24 15:46 Potential null pointer dereference in serial driver (2.4) and amiga serial driver (2.6) Julien TINNES
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox