[Bug 1587] New: Possible null dereference in rtems-rfs-shell.c

bugzilla-daemon at rtems.org bugzilla-daemon at rtems.org
Thu Jun 24 13:26:32 UTC 2010


https://www.rtems.org/bugzilla/show_bug.cgi?id=1587

           Summary: Possible null dereference in rtems-rfs-shell.c
           Product: RTEMS
           Version: HEAD
          Platform: All
        OS/Version: RTEMS
            Status: NEW
          Severity: normal
          Priority: P3
         Component: filesystem
        AssignedTo: chrisj at rtems.org
        ReportedBy: joel.sherrill at oarcorp.com


This was spotted by Coverity Scan.  Their ID is 35.

This is also in 4.10 but since the RFS is new in 4.10, nothing older. I will
attach a fix.

667        memset (&config, 0, sizeof (rtems_rfs_format_config));
668      

At conditional (2): "arg < argc" taking true path
At conditional (6): "arg < argc" taking true path
At conditional (10): "arg < argc" taking true path
At conditional (14): "arg < argc" taking true path
At conditional (17): "arg < argc" taking true path
At conditional (21): "arg < argc" taking false path

669        for (arg = 1; arg < argc; arg++)
670        {

At conditional (3): "*(*(argv + (arg * 4)) + 0) == 45" taking true path
At conditional (7): "*(*(argv + (arg * 4)) + 0) == 45" taking true path
At conditional (11): "*(*(argv + (arg * 4)) + 0) == 45" taking true path
At conditional (15): "*(*(argv + (arg * 4)) + 0) == 45" taking true path
At conditional (18): "*(*(argv + (arg * 4)) + 0) == 45" taking true path

671          if (argv[arg][0] == '-')
672          {
673            switch (argv[arg][1])
674            {

At conditional (1): "*(*(argv + (arg * 4)) + 1) == 118" taking true path

675              case 'v':
676                config.verbose = true;
677                break;
678                

At conditional (4): "*(*(argv + (arg * 4)) + 1) == 115" taking true path

679              case 's':
680                arg++;

At conditional (5): "arg >= argc" taking false path

681                if (arg >= argc)
682                {
683                  printf ("error: block size needs an argument\n");
684                  return 1;
685                }
686                config.block_size = strtoul (argv[arg], 0, 0);
687                break;
688              

At conditional (8): "*(*(argv + (arg * 4)) + 1) == 98" taking true path

689              case 'b':
690                arg++;

At conditional (9): "arg >= argc" taking false path

691                if (arg >= argc)
692                {
693                  printf ("error: group block count needs an argument\n");
694                  return 1;
695                }
696                config.group_blocks = strtoul (argv[arg], 0, 0);
697                break;
698                

At conditional (12): "*(*(argv + (arg * 4)) + 1) == 105" taking true path

699              case 'i':
700                arg++;

At conditional (13): "arg >= argc" taking false path

701                if (arg >= argc)
702                {
703                  printf ("error: group inode count needs an argument\n");
704                  return 1;
705                }
706                config.group_inodes = strtoul (argv[arg], 0, 0);
707                break;
708      

At conditional (16): "*(*(argv + (arg * 4)) + 1) == 73" taking true path

709              case 'I':
710                config.initialise_inodes = true;
711                break;
712                

At conditional (19): "*(*(argv + (arg * 4)) + 1) == 111" taking true path

713              case 'o':
714                arg++;

At conditional (20): "arg >= argc" taking false path

715                if (arg >= argc)
716                {
717                  printf ("error: inode percentage overhead needs an
argument\n");
718                  return 1;
719                }
720                config.inode_overhead = strtoul (argv[arg], 0, 0);
721                break;
722                
723              default:
724                printf ("error: invalid option: %s\n", argv[arg]);
725                return 1;
726            }
727          }
728          else
729          {
730            if (!driver)
731              driver = argv[arg];
732            else
733            {
734              printf ("error: only one driver name allowed: %s\n",
argv[arg]);
735              return 1;
736            }
737          }
738        }
739      

Event var_deref_model: Variable "driver" tracked as NULL was passed to a
function that dereferences it. [model]
Also see events: [assign_zero]

740        if (rtems_rfs_format (driver, &config) < 0)
741        {

-- 
Configure bugmail: https://www.rtems.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.



More information about the bugs mailing list