softraid.c: potential NULL pointer dereference ?

View: New views

2 Messages — Rating Filter: Alert me

softraid.c: potential NULL pointer dereference ?

by Remco-2 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

I noticed the following code path in /sys/dev/softraid.c:

int
sr_scsi_cmd(struct scsi_xfer *xs)
{
...
sd = sc->sc_dis[link->scsibus];
if (sd == NULL) {
s = splhigh();
sd = sc->sc_attach_dis;
splx(s);

DNPRINTF(SR_D_CMD, "%s: sr_scsi_cmd: attaching %p\n",
DEVNAME(sc), sd);
if (sd == NULL) {
wu = NULL;
printf("%s: sr_scsi_cmd NULL discipline\n",
DEVNAME(sc));
goto stuffup;
...
stuffup:
if (sd->sd_scsi_sense.error_code) {

If I'm not mistaken this leads to dereferencing sd as a NULL pointer.

I'm not sure whether this causes an actual real world problem or where to put
a guard to avoid this.

Regards,
Remco

Re: softraid.c: potential NULL pointer dereference ?

by Marcus Glocker-2 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Thu, Jul 09, 2009 at 08:37:38PM +0200, Remco wrote:

> I noticed the following code path in /sys/dev/softraid.c:
>
> int
> sr_scsi_cmd(struct scsi_xfer *xs)
> {
> ...
> sd = sc->sc_dis[link->scsibus];
> if (sd == NULL) {
> s = splhigh();
> sd = sc->sc_attach_dis;
> splx(s);
>
> DNPRINTF(SR_D_CMD, "%s: sr_scsi_cmd: attaching %p\n",
> DEVNAME(sc), sd);
> if (sd == NULL) {
> wu = NULL;
> printf("%s: sr_scsi_cmd NULL discipline\n",
> DEVNAME(sc));
> goto stuffup;
> ...
> stuffup:
> if (sd->sd_scsi_sense.error_code) {
>
>
> If I'm not mistaken this leads to dereferencing sd as a NULL pointer.
>
> I'm not sure whether this causes an actual real world problem or where to put
> a guard to avoid this.

If that situation would occur, we would indeed hit a NULL pointer deref,
which would crash the kernel.

We have fixed it now. Thanks for pointing it out.

> Regards,
> Remco

Regards,
Marcus