[PATHv11 17/43] net: sandbox: fix NULL pointer derefences
Tom Rini
trini at konsulko.com
Mon Nov 27 19:19:55 CET 2023
On Mon, Nov 27, 2023 at 06:57:00PM +0600, Maxim Uvarov wrote:
> Add additional checks for NULL pointers.
>
> Signed-off-by: Maxim Uvarov <maxim.uvarov at linaro.org>
> ---
> drivers/net/sandbox.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/net/sandbox.c b/drivers/net/sandbox.c
> index 13022addb6..75d32db3a9 100644
> --- a/drivers/net/sandbox.c
> +++ b/drivers/net/sandbox.c
> @@ -65,6 +65,9 @@ int sandbox_eth_arp_req_to_reply(struct udevice *dev, void *packet,
> struct ethernet_hdr *eth_recv;
> struct arp_hdr *arp_recv;
>
> + if (!priv)
> + return -EAGAIN;
> +
> if (ntohs(eth->et_protlen) != PROT_ARP)
> return -EAGAIN;
This part seems fine.
> @@ -82,6 +85,8 @@ int sandbox_eth_arp_req_to_reply(struct udevice *dev, void *packet,
>
> /* Formulate a fake response */
> eth_recv = (void *)priv->recv_packet_buffer[priv->recv_packets];
> + if (!eth_recv)
> + return -EAGAIN;
> memcpy(eth_recv->et_dest, eth->et_src, ARP_HLEN);
> memcpy(eth_recv->et_src, priv->fake_host_hwaddr, ARP_HLEN);
> eth_recv->et_protlen = htons(PROT_ARP);
How do we get to this dereference, and is that not a bug in the caller?
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20231127/3a60fc6e/attachment.sig>
More information about the U-Boot
mailing list