[Bug 1943] New: NULL pointer access in if_ppp.c

bugzilla-daemon at rtems.org bugzilla-daemon at rtems.org
Mon Oct 24 12:37:44 UTC 2011


https://www.rtems.org/bugzilla/show_bug.cgi?id=1943

           Summary: NULL pointer access in if_ppp.c
           Product: RTEMS
           Version: HEAD
          Platform: All
        OS/Version: RTEMS
            Status: NEW
          Severity: normal
          Priority: P3
         Component: networking
        AssignedTo: norume at aps.anl.gov
        ReportedBy: sebastian.huber at embedded-brains.de


In if_ppp.c (ppp_rxdaemon) we have:

[...]
      /* allocate a new mbuf to replace one */
      if ( mp == NULL ) {
        pppallocmbuf(sc, &mp);
      }

      /* place mbuf on freeq */
      rtems_interrupt_disable(level);
      IF_ENQUEUE(&sc->sc_freeq, mp);
      rtems_interrupt_enable(level);
      mp = (struct mbuf *)0;
[...]

In ppp_tty.c we have:

[...]
void
pppallocmbuf(struct ppp_softc *sc, struct mbuf **mp)
{
  int            ilen;
  struct mbuf   *m;

  /* loop over length value */
  ilen = sc->sc_mru + PPP_HDRLEN + PPP_FCSLEN;
  while ( ilen > 0 ) {
    /* see if this is end of the chain */
    m = *mp;
    if ( m == NULL ) {
      /* get mbuf header */
      MGETHDR(m, M_DONTWAIT, MT_DATA);
      if ( m == NULL ) {
        /* error - set condition to break out */
        printf("pppallocmbuf: MGETHDR failed\n");
        break;
      }
      MCLGET(m, M_DONTWAIT);
      m->m_next = NULL;
      *mp = m;
    }

    /* update loop variables */
    mp    = &m->m_next;
    ilen -= M_DATASIZE(m);
  }
}
[...]

In case no mbufs are available, the pppallocmbuf() prints an error and leaves
the *mp value untouched.  This leads to a NULL pointer access in if_ppp.c.

I propose to change the mbuf and cluster allocation to use M_WAIT instead of
M_DONTWAIT.

-- 
Configure bugmail: https://www.rtems.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.



More information about the bugs mailing list