Discussion:
[Bugme-new] [Bug 9573] New: NULL pointer dereference on drivers/usb/serial/whiteheat.c
Andrew Morton
2007-12-16 04:23:47 UTC
Permalink
http://bugzilla.kernel.org/show_bug.cgi?id=9573
Summary: NULL pointer dereference on
drivers/usb/serial/whiteheat.c
Product: Drivers
Version: 2.5
KernelVersion: 2.6.23
Platform: All
OS/Version: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: USB
There's a null pointer dereference on drivers/usb/serial/whiteheat.c as
(1) line 613: the test "if (port->tty)" implies that null is a legal value
for "port->tty" at that point
(2) neither firm_open nor firm_purge initialize "port->tty"
(3) line 630: "port->tty" is dereferenced at statement
old_term.c_cflag = ~port->tty->termios->c_cflag;
--
Configure bugmail: http://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
linux-usb-***@lists.sourceforge.net
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel
Oliver Neukum
2007-12-20 11:23:03 UTC
Permalink
http://bugzilla.kernel.org/show_bug.cgi?id=9573
There's a null pointer dereference on drivers/usb/serial/whiteheat.c as
(1) line 613: the test "if (port->tty)" implies that null is a legal value
for "port->tty" at that point
(2) neither firm_open nor firm_purge initialize "port->tty"
drivers/usb/serial/usb-serial::serial_open() sets port->tty
The check for NULL is bogus. This patch removes the check.

Signed-off-by: Oliver Neukum <***@suse.de>

Regards
Oliver

----

--- a/drivers/usb/serial/whiteheat.c 2007-12-20 11:55:55.000000000 +0100
+++ b/drivers/usb/serial/whiteheat.c 2007-12-20 11:56:20.000000000 +0100
@@ -610,8 +610,7 @@ static int whiteheat_open (struct usb_se
if (retval)
goto exit;

- if (port->tty)
- port->tty->low_latency = 1;
+ port->tty->low_latency = 1;

/* send an open port command */
retval = firm_open(port);

-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
linux-usb-***@lists.sourceforge.net
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel
Alan Cox
2007-12-20 15:52:28 UTC
Permalink
On Thu, 20 Dec 2007 12:23:03 +0100
Post by Oliver Neukum
http://bugzilla.kernel.org/show_bug.cgi?id=9573
There's a null pointer dereference on drivers/usb/serial/whiteheat.c as
(1) line 613: the test "if (port->tty)" implies that null is a legal value
for "port->tty" at that point
(2) neither firm_open nor firm_purge initialize "port->tty"
drivers/usb/serial/usb-serial::serial_open() sets port->tty
The check for NULL is bogus. This patch removes the check.
USB serial is full of these. Happy hunting

Acked-by: Alan Cox <***@redhat.com>

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
linux-usb-***@lists.sourceforge.net
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel

Loading...