[Bug 1943] New: NULL pointer access in if_ppp.c
bugzilla-daemon at rtems.org
bugzilla-daemon at rtems.org
Mon Oct 24 12:37:44 UTC 2011
https://www.rtems.org/bugzilla/show_bug.cgi?id=1943
Summary: NULL pointer access in if_ppp.c
Product: RTEMS
Version: HEAD
Platform: All
OS/Version: RTEMS
Status: NEW
Severity: normal
Priority: P3
Component: networking
AssignedTo: norume at aps.anl.gov
ReportedBy: sebastian.huber at embedded-brains.de
In if_ppp.c (ppp_rxdaemon) we have:
[...]
/* allocate a new mbuf to replace one */
if ( mp == NULL ) {
pppallocmbuf(sc, &mp);
}
/* place mbuf on freeq */
rtems_interrupt_disable(level);
IF_ENQUEUE(&sc->sc_freeq, mp);
rtems_interrupt_enable(level);
mp = (struct mbuf *)0;
[...]
In ppp_tty.c we have:
[...]
void
pppallocmbuf(struct ppp_softc *sc, struct mbuf **mp)
{
int ilen;
struct mbuf *m;
/* loop over length value */
ilen = sc->sc_mru + PPP_HDRLEN + PPP_FCSLEN;
while ( ilen > 0 ) {
/* see if this is end of the chain */
m = *mp;
if ( m == NULL ) {
/* get mbuf header */
MGETHDR(m, M_DONTWAIT, MT_DATA);
if ( m == NULL ) {
/* error - set condition to break out */
printf("pppallocmbuf: MGETHDR failed\n");
break;
}
MCLGET(m, M_DONTWAIT);
m->m_next = NULL;
*mp = m;
}
/* update loop variables */
mp = &m->m_next;
ilen -= M_DATASIZE(m);
}
}
[...]
In case no mbufs are available, the pppallocmbuf() prints an error and leaves
the *mp value untouched. This leads to a NULL pointer access in if_ppp.c.
I propose to change the mbuf and cluster allocation to use M_WAIT instead of
M_DONTWAIT.
--
Configure bugmail: https://www.rtems.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the bugs
mailing list