[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-block] [PATCH v4 5/8] block: Fix potential Null pointer dereferenc
|
From: |
Liam Merwick |
|
Subject: |
[Qemu-block] [PATCH v4 5/8] block: Fix potential Null pointer dereferences in vvfat.c |
|
Date: |
Fri, 19 Oct 2018 21:39:03 +0100 |
The calls to find_mapping_for_cluster() may return NULL but it
isn't always checked for before dereferencing the value returned.
Additionally, add some asserts to cover cases where NULL can't
be returned but which might not be obvious at first glance.
Signed-off-by: Liam Merwick <address@hidden>
---
block/vvfat.c | 33 ++++++++++++++++++++++++++++-----
1 file changed, 28 insertions(+), 5 deletions(-)
diff --git a/block/vvfat.c b/block/vvfat.c
index fc41841a5c3c..19f6725054a0 100644
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -100,6 +100,7 @@ static inline void array_free(array_t* array)
/* does not automatically grow */
static inline void* array_get(array_t* array,unsigned int index) {
assert(index < array->next);
+ assert(array->pointer);
return array->pointer + index * array->item_size;
}
@@ -108,8 +109,7 @@ static inline int array_ensure_allocated(array_t* array,
int index)
if((index + 1) * array->item_size > array->size) {
int new_size = (index + 32) * array->item_size;
array->pointer = g_realloc(array->pointer, new_size);
- if (!array->pointer)
- return -1;
+ assert(array->pointer);
memset(array->pointer + array->size, 0, new_size - array->size);
array->size = new_size;
array->next = index + 1;
@@ -2261,6 +2261,9 @@ static mapping_t* insert_mapping(BDRVVVFATState* s,
}
if (index >= s->mapping.next || mapping->begin > begin) {
mapping = array_insert(&(s->mapping), index, 1);
+ if (mapping == NULL) {
+ return NULL;
+ }
mapping->path = NULL;
adjust_mapping_indices(s, index, +1);
}
@@ -2428,6 +2431,9 @@ static int commit_direntries(BDRVVVFATState* s,
direntry_t* direntry = array_get(&(s->directory), dir_index);
uint32_t first_cluster = dir_index == 0 ? 0 : begin_of_direntry(direntry);
mapping_t* mapping = find_mapping_for_cluster(s, first_cluster);
+ if (mapping == NULL) {
+ return -1;
+ }
int factor = 0x10 * s->sectors_per_cluster;
int old_cluster_count, new_cluster_count;
@@ -2494,6 +2500,9 @@ DLOG(fprintf(stderr, "commit_direntries for %s,
parent_mapping_index %d\n", mapp
direntry = array_get(&(s->directory), first_dir_index + i);
if (is_directory(direntry) && !is_dot(direntry)) {
mapping = find_mapping_for_cluster(s, first_cluster);
+ if (mapping == NULL) {
+ return -1;
+ }
assert(mapping->mode & MODE_DIRECTORY);
ret = commit_direntries(s, first_dir_index + i,
array_index(&(s->mapping), mapping));
@@ -2522,6 +2531,10 @@ static int commit_one_file(BDRVVVFATState* s,
assert(offset < size);
assert((offset % s->cluster_size) == 0);
+ if (mapping == NULL) {
+ return -1;
+ }
+
for (i = s->cluster_size; i < offset; i += s->cluster_size)
c = modified_fat_get(s, c);
@@ -2668,8 +2681,12 @@ static int handle_renames_and_mkdirs(BDRVVVFATState* s)
if (commit->action == ACTION_RENAME) {
mapping_t* mapping = find_mapping_for_cluster(s,
commit->param.rename.cluster);
- char* old_path = mapping->path;
+ char *old_path;
+ if (mapping == NULL) {
+ return -1;
+ }
+ old_path = mapping->path;
assert(commit->path);
mapping->path = commit->path;
if (rename(old_path, mapping->path))
@@ -2690,10 +2707,15 @@ static int handle_renames_and_mkdirs(BDRVVVFATState* s)
direntry_t* d = direntry + i;
if (is_file(d) || (is_directory(d) && !is_dot(d))) {
+ int l;
+ char *new_path;
mapping_t* m = find_mapping_for_cluster(s,
begin_of_direntry(d));
- int l = strlen(m->path);
- char* new_path = g_malloc(l + diff + 1);
+ if (m == NULL) {
+ return -1;
+ }
+ l = strlen(m->path);
+ new_path = g_malloc(l + diff + 1);
assert(!strncmp(m->path, mapping->path, l2));
@@ -3193,6 +3215,7 @@ static int enable_write_target(BlockDriverState *bs,
Error **errp)
backing = bdrv_new_open_driver(&vvfat_write_target, NULL,
BDRV_O_ALLOW_RDWR,
&error_abort);
+ assert(backing);
*(void**) backing->opaque = s;
bdrv_set_backing_hd(s->bs, backing, &error_abort);
--
1.8.3.1
- [Qemu-block] [PATCH v4 0/8] off-by-one and NULL pointer accesses detected by static analysis, Liam Merwick, 2018/10/19
- [Qemu-block] [PATCH v4 3/8] block: Null pointer dereference in blk_root_get_parent_desc(), Liam Merwick, 2018/10/19
- [Qemu-block] [PATCH v4 4/8] qemu-img: assert block_job_get() does not return NULL in img_commit(), Liam Merwick, 2018/10/19
- [Qemu-block] [PATCH v4 2/8] job: Fix off-by-one assert checks for JobSTT and JobVerbTable, Liam Merwick, 2018/10/19
- [Qemu-block] [PATCH v4 1/8] configure: Provide option to explicitly disable AVX2, Liam Merwick, 2018/10/19
- [Qemu-block] [PATCH v4 6/8] block: dump_qlist() may dereference a Null pointer, Liam Merwick, 2018/10/19
- [Qemu-block] [PATCH v4 7/8] qcow2: Read outside array bounds in qcow2_pre_write_overlap_check(), Liam Merwick, 2018/10/19
- [Qemu-block] [PATCH v4 5/8] block: Fix potential Null pointer dereferences in vvfat.c,
Liam Merwick <=
- [Qemu-block] [PATCH v4 8/8] kvm: Potential NULL pointer dereference in kvm_arch_init_vcpu(), Liam Merwick, 2018/10/19