From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Magenheimer Subject: Re: [PATCH] tmem: Prevent NULL dereference on error case Date: Mon, 12 Nov 2012 08:30:35 -0800 (PST) Message-ID: <3f722899-a618-4388-8a09-e68fc50c1a70@default> References: <<1352690242-28761-1-git-send-email-mattjd@gmail.com>> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <<1352690242-28761-1-git-send-email-mattjd@gmail.com>> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Matthew Daley , xen-devel@lists.xen.org Cc: Dan Magenheimer List-Id: xen-devel@lists.xenproject.org > From: Matthew Daley [mailto:mattjd@gmail.com] > Subject: [PATCH] tmem: Prevent NULL dereference on error case > > If the client / pool IDs given to tmemc_save_get_next_page are invalid, > the calculation of pagesize will dereference NULL. > > Fix this by moving the calculation below the appropriate NULL check. > > Signed-off-by: Matthew Daley Good catch! Did you see this on an actual save/restore or just by inspection? This should only happen as a result of a buggy toolstack so I'm wondering if fixing this hides a toolstack bug. In either case, this should be fixed in the hypervisor. Acked-by: Dan Magenheimer > diff --git a/xen/common/tmem.c b/xen/common/tmem.c > index 1280537..ec59009 100644 > --- a/xen/common/tmem.c > +++ b/xen/common/tmem.c > @@ -2436,10 +2436,13 @@ static NOINLINE int tmemc_save_get_next_page(int cli_id, uint32_t pool_id, > OID oid; > int ret = 0; > struct tmem_handle h; > - unsigned int pagesize = 1 << (pool->pageshift+12); > + unsigned int pagesize; > > if ( pool == NULL || is_ephemeral(pool) ) > return -1; > + > + pagesize = 1 << (pool->pageshift + 12); > + > if ( bufsize < pagesize + sizeof(struct tmem_handle) ) > return -ENOMEM; > > -- > 1.7.10.4