#1587 closed defect (fixed)

Possible null dereference in rtems-rfs-shell.c

Reported by: Joel Sherrill Owned by: Chris Johns
Priority: normal Milestone: 4.11
Component: fs Version: 4.11
Severity: normal Keywords:
Cc: Blocked By:
Blocking:

Description

This was spotted by Coverity Scan. Their ID is 35.

This is also in 4.10 but since the RFS is new in 4.10, nothing older. I will
attach a fix.

667 memset (&config, 0, sizeof (rtems_rfs_format_config));
668

At conditional (2): "arg < argc" taking true path
At conditional (6): "arg < argc" taking true path
At conditional (10): "arg < argc" taking true path
At conditional (14): "arg < argc" taking true path
At conditional (17): "arg < argc" taking true path
At conditional (21): "arg < argc" taking false path

669 for (arg = 1; arg < argc; arg++)
670 {

At conditional (3): "*(*(argv + (arg * 4)) + 0) == 45" taking true path
At conditional (7): "*(*(argv + (arg * 4)) + 0) == 45" taking true path
At conditional (11): "*(*(argv + (arg * 4)) + 0) == 45" taking true path
At conditional (15): "*(*(argv + (arg * 4)) + 0) == 45" taking true path
At conditional (18): "*(*(argv + (arg * 4)) + 0) == 45" taking true path

671 if (argv[arg][0] == '-')
672 {
673 switch (argv[arg][1])
674 {

At conditional (1): "*(*(argv + (arg * 4)) + 1) == 118" taking true path

675 case 'v':
676 config.verbose = true;
677 break;
678

At conditional (4): "*(*(argv + (arg * 4)) + 1) == 115" taking true path

679 case 's':
680 arg++;

At conditional (5): "arg >= argc" taking false path

681 if (arg >= argc)
682 {
683 printf ("error: block size needs an argument\n");
684 return 1;
685 }
686 config.block_size = strtoul (argv[arg], 0, 0);
687 break;
688

At conditional (8): "*(*(argv + (arg * 4)) + 1) == 98" taking true path

689 case 'b':
690 arg++;

At conditional (9): "arg >= argc" taking false path

691 if (arg >= argc)
692 {
693 printf ("error: group block count needs an argument\n");
694 return 1;
695 }
696 config.group_blocks = strtoul (argv[arg], 0, 0);
697 break;
698

At conditional (12): "*(*(argv + (arg * 4)) + 1) == 105" taking true path

699 case 'i':
700 arg++;

At conditional (13): "arg >= argc" taking false path

701 if (arg >= argc)
702 {
703 printf ("error: group inode count needs an argument\n");
704 return 1;
705 }
706 config.group_inodes = strtoul (argv[arg], 0, 0);
707 break;
708

At conditional (16): "*(*(argv + (arg * 4)) + 1) == 73" taking true path

709 case 'I':
710 config.initialise_inodes = true;
711 break;
712

At conditional (19): "*(*(argv + (arg * 4)) + 1) == 111" taking true path

713 case 'o':
714 arg++;

At conditional (20): "arg >= argc" taking false path

715 if (arg >= argc)
716 {
717 printf ("error: inode percentage overhead needs an argument\n");
718 return 1;
719 }
720 config.inode_overhead = strtoul (argv[arg], 0, 0);
721 break;
722
723 default:
724 printf ("error: invalid option: %s\n", argv[arg]);
725 return 1;
726 }
727 }
728 else
729 {
730 if (!driver)
731 driver = argv[arg];
732 else
733 {
734 printf ("error: only one driver name allowed: %s\n", argv[arg]);
735 return 1;
736 }
737 }
738 }
739

Event var_deref_model: Variable "driver" tracked as NULL was passed to a function that dereferences it. [model]
Also see events: [assign_zero]

740 if (rtems_rfs_format (driver, &config) < 0)
741 {

Attachments (1)

rfs_null_deref.diff (607 bytes) - added by Joel Sherrill on Jun 24, 2010 at 12:26:53 PM.
patch

Download all attachments as: .zip

Change History (3)

Changed on Jun 24, 2010 at 12:26:53 PM by Joel Sherrill

Attachment: rfs_null_deref.diff added

patch

comment:1 Changed on Jun 24, 2010 at 12:29:16 PM by Joel Sherrill

Resolution: fixed
Status: newclosed

Patch committed to head and 4.10.

comment:2 Changed on Nov 24, 2014 at 6:58:28 PM by Gedare Bloom

Version: HEAD4.11

Replace Version=HEAD with Version=4.11 for the tickets with Milestone >= 4.11

Note: See TracTickets for help on using tickets.