[PATCH 1/1] Char: synclink, fix potential null dereference

[PATCH 1/1] Char: synclink, fix potential null dereference

[Jiri Slaby]

Stanse found a potential null dereference in mgsl_put_char and
mgsl_write. There is a check for tty being NULL, but it is
dereferenced earlier. Move the dereference after the check.

Also reorder mgsl_paranoia_check so that it makes sense:
* check !tty
* deref tty
* check !info
* deref info

And don't jump to cleanup label in mgsl_write's two cases, return
immediately, since there is an info dereference as well.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/char/synclink.c |   30 ++++++++++++++++++++----------
 1 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/drivers/char/synclink.c b/drivers/char/synclink.c
index 4846b73..30f21bd 100644
--- a/drivers/char/synclink.c
+++ b/drivers/char/synclink.c
@@ -2019,19 +2019,24 @@ static void mgsl_change_params(struct mgsl_struct *info)
  */
 static int mgsl_put_char(struct tty_struct *tty, unsigned char ch)
 {
-	struct mgsl_struct *info = tty->driver_data;
+	struct mgsl_struct *info;
 	unsigned long flags;
 	int ret = 0;
 
+	if (!tty)
+		return 0;
+
+	info = tty->driver_data;
+
+	if (mgsl_paranoia_check(info, tty->name, "mgsl_put_char"))
+		return 0;
+
 	if (debug_level >= DEBUG_LEVEL_INFO) {
 		printk(KERN_DEBUG "%s(%d):mgsl_put_char(%d) on %s\n",
 			__FILE__, __LINE__, ch, info->device_name);
 	}		
 	
-	if (mgsl_paranoia_check(info, tty->name, "mgsl_put_char"))
-		return 0;
-
-	if (!tty || !info->xmit_buf)
+	if (!info->xmit_buf)
 		return 0;
 
 	spin_lock_irqsave(&info->irq_spinlock, flags);
@@ -2111,17 +2116,22 @@ static int mgsl_write(struct tty_struct * tty,
 		    const unsigned char *buf, int count)
 {
 	int	c, ret = 0;
-	struct mgsl_struct *info = tty->driver_data;
+	struct mgsl_struct *info;
 	unsigned long flags;
 	
+	if (!tty)
+		return 0;
+
+	info = tty->driver_data;
+
+	if (mgsl_paranoia_check(info, tty->name, "mgsl_write"))
+		return 0;
+
 	if ( debug_level >= DEBUG_LEVEL_INFO )
 		printk( "%s(%d):mgsl_write(%s) count=%d\n",
 			__FILE__,__LINE__,info->device_name,count);
-	
-	if (mgsl_paranoia_check(info, tty->name, "mgsl_write"))
-		goto cleanup;
 
-	if (!tty || !info->xmit_buf)
+	if (!info->xmit_buf)
 		goto cleanup;
 
 	if ( info->params.mode == MGSL_MODE_HDLC ||
-- 
1.6.5.7

Re: [PATCH 1/1] Char: synclink, fix potential null dereference

[Jiri Slaby]

On 01/10/2010 09:51 AM, Jiri Slaby wrote:
> Stanse found a potential null dereference in mgsl_put_char and
> mgsl_write. There is a check for tty being NULL, but it is
> dereferenced earlier. Move the dereference after the check.
> 
> Also reorder mgsl_paranoia_check so that it makes sense:
> * check !tty
> * deref tty
> * check !info
> * deref info

Actually, this is wrong, .write and .put_char cannot be called with NULL
tty.

-- 
js

[PATCH 1/1] Char: synclink, remove unnecessary checks

[Jiri Slaby]

Stanse found a potential null dereference in mgsl_put_char and
mgsl_write. There is a check for tty being NULL, but it is
dereferenced earlier.

Actually, tty cannot be NULL in .write and .put_char, so remove
the tests.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Greg Kroah-Hartman <gregkh@suse.de>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Alan Cox <alan@linux.intel.com>
---
 drivers/char/synclink.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/char/synclink.c b/drivers/char/synclink.c
index 4846b73..0658fc5 100644
--- a/drivers/char/synclink.c
+++ b/drivers/char/synclink.c
@@ -2031,7 +2031,7 @@ static int mgsl_put_char(struct tty_struct *tty, unsigned char ch)
 	if (mgsl_paranoia_check(info, tty->name, "mgsl_put_char"))
 		return 0;
 
-	if (!tty || !info->xmit_buf)
+	if (!info->xmit_buf)
 		return 0;
 
 	spin_lock_irqsave(&info->irq_spinlock, flags);
@@ -2121,7 +2121,7 @@ static int mgsl_write(struct tty_struct * tty,
 	if (mgsl_paranoia_check(info, tty->name, "mgsl_write"))
 		goto cleanup;
 
-	if (!tty || !info->xmit_buf)
+	if (!info->xmit_buf)
 		goto cleanup;
 
 	if ( info->params.mode == MGSL_MODE_HDLC ||
-- 
1.6.5.7