#1943 closed defect

NULL pointer access in if_ppp.c

Reported by: Sebastian Huber Owned by: Sebastian Huber
Priority: normal Milestone: 4.9.5
Component: network/legacy Version: 4.9
Severity: normal Keywords:
Cc: Blocked By:
Blocking:

Description (last modified by Gedare Bloom)

In if_ppp.c (ppp_rxdaemon) we have:

[...]

/* allocate a new mbuf to replace one */
if ( mp == NULL ) {

pppallocmbuf(sc, &mp);

}

/* place mbuf on freeq */
rtems_interrupt_disable(level);
IF_ENQUEUE(&sc->sc_freeq, mp);
rtems_interrupt_enable(level);
mp = (struct mbuf *)0;

[...]

In ppp_tty.c we have:

[...]
void
pppallocmbuf(struct ppp_softc *sc, struct mbuf mp)
{

int ilen;
struct mbuf *m;

/* loop over length value */
ilen = sc->sc_mru + PPP_HDRLEN + PPP_FCSLEN;
while ( ilen > 0 ) {

/* see if this is end of the chain */
m = *mp;
if ( m == NULL ) {

/* get mbuf header */
MGETHDR(m, M_DONTWAIT, MT_DATA);
if ( m == NULL ) {

/* error - set condition to break out */
printf("pppallocmbuf: MGETHDR failed\n");
break;

}
MCLGET(m, M_DONTWAIT);
m->m_next = NULL;
*mp = m;

}

/* update loop variables */
mp = &m->m_next;
ilen -= M_DATASIZE(m);

}

}
[...]

In case no mbufs are available, the pppallocmbuf() prints an error and leaves the *mp value untouched. This leads to a NULL pointer access in if_ppp.c.

I propose to change the mbuf and cluster allocation to use M_WAIT instead of M_DONTWAIT.

Change History (3)

comment:2 Changed on 11/22/14 at 14:31:33 by Gedare Bloom

Description: modified (diff)
Milestone: 4.114.9.5
Owner: changed from Eric Norum to Sebastian Huber
Status: newassigned
Version: HEAD4.11

Sebastian, please back-port your patch to 4.10 and 4.9 branches.

comment:3 Changed on 11/22/14 at 14:34:47 by Gedare Bloom

Resolution: fixed
Status: assignedclosed
Version: 4.114.9

I applied to 4.10 and 4.9.

Note: See TracTickets for help on using tickets.