[Bug 1587] New: Possible null dereference in rtems-rfs-shell.c
bugzilla-daemon at rtems.org
bugzilla-daemon at rtems.org
Thu Jun 24 13:26:32 UTC 2010
https://www.rtems.org/bugzilla/show_bug.cgi?id=1587
Summary: Possible null dereference in rtems-rfs-shell.c
Product: RTEMS
Version: HEAD
Platform: All
OS/Version: RTEMS
Status: NEW
Severity: normal
Priority: P3
Component: filesystem
AssignedTo: chrisj at rtems.org
ReportedBy: joel.sherrill at oarcorp.com
This was spotted by Coverity Scan. Their ID is 35.
This is also in 4.10 but since the RFS is new in 4.10, nothing older. I will
attach a fix.
667 memset (&config, 0, sizeof (rtems_rfs_format_config));
668
At conditional (2): "arg < argc" taking true path
At conditional (6): "arg < argc" taking true path
At conditional (10): "arg < argc" taking true path
At conditional (14): "arg < argc" taking true path
At conditional (17): "arg < argc" taking true path
At conditional (21): "arg < argc" taking false path
669 for (arg = 1; arg < argc; arg++)
670 {
At conditional (3): "*(*(argv + (arg * 4)) + 0) == 45" taking true path
At conditional (7): "*(*(argv + (arg * 4)) + 0) == 45" taking true path
At conditional (11): "*(*(argv + (arg * 4)) + 0) == 45" taking true path
At conditional (15): "*(*(argv + (arg * 4)) + 0) == 45" taking true path
At conditional (18): "*(*(argv + (arg * 4)) + 0) == 45" taking true path
671 if (argv[arg][0] == '-')
672 {
673 switch (argv[arg][1])
674 {
At conditional (1): "*(*(argv + (arg * 4)) + 1) == 118" taking true path
675 case 'v':
676 config.verbose = true;
677 break;
678
At conditional (4): "*(*(argv + (arg * 4)) + 1) == 115" taking true path
679 case 's':
680 arg++;
At conditional (5): "arg >= argc" taking false path
681 if (arg >= argc)
682 {
683 printf ("error: block size needs an argument\n");
684 return 1;
685 }
686 config.block_size = strtoul (argv[arg], 0, 0);
687 break;
688
At conditional (8): "*(*(argv + (arg * 4)) + 1) == 98" taking true path
689 case 'b':
690 arg++;
At conditional (9): "arg >= argc" taking false path
691 if (arg >= argc)
692 {
693 printf ("error: group block count needs an argument\n");
694 return 1;
695 }
696 config.group_blocks = strtoul (argv[arg], 0, 0);
697 break;
698
At conditional (12): "*(*(argv + (arg * 4)) + 1) == 105" taking true path
699 case 'i':
700 arg++;
At conditional (13): "arg >= argc" taking false path
701 if (arg >= argc)
702 {
703 printf ("error: group inode count needs an argument\n");
704 return 1;
705 }
706 config.group_inodes = strtoul (argv[arg], 0, 0);
707 break;
708
At conditional (16): "*(*(argv + (arg * 4)) + 1) == 73" taking true path
709 case 'I':
710 config.initialise_inodes = true;
711 break;
712
At conditional (19): "*(*(argv + (arg * 4)) + 1) == 111" taking true path
713 case 'o':
714 arg++;
At conditional (20): "arg >= argc" taking false path
715 if (arg >= argc)
716 {
717 printf ("error: inode percentage overhead needs an
argument\n");
718 return 1;
719 }
720 config.inode_overhead = strtoul (argv[arg], 0, 0);
721 break;
722
723 default:
724 printf ("error: invalid option: %s\n", argv[arg]);
725 return 1;
726 }
727 }
728 else
729 {
730 if (!driver)
731 driver = argv[arg];
732 else
733 {
734 printf ("error: only one driver name allowed: %s\n",
argv[arg]);
735 return 1;
736 }
737 }
738 }
739
Event var_deref_model: Variable "driver" tracked as NULL was passed to a
function that dereferences it. [model]
Also see events: [assign_zero]
740 if (rtems_rfs_format (driver, &config) < 0)
741 {
--
Configure bugmail: https://www.rtems.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the bugs
mailing list