Hi,
while reading libpci and lspci code, I was a bit surprised that there
are a few places where the return value of malloc and friends are not
checked. Either I'm not seeing some allocation magic which makes such
allocations succeed (or kills the app on failure), or these are genuine
bugs. Examples follow:
lib/init.c:
> struct pci_access *
> pci_alloc(void)
> {
> struct pci_access *a = malloc(sizeof(struct pci_access));
> int i;
> memset(a, 0, sizeof(*a));
The memset will segfault if malloc failed.
lib/init.c:
> char *
> pci_strdup(struct pci_access *a, char *s)
> {
> int len = strlen(s) + 1;
> char *t = pci_malloc(a, len);
> memcpy(t, s, len);
The memcpy will segfault if pci_malloc failed.
lib/access.c:
> struct pci_dev *
> pci_alloc_dev(struct pci_access *a)
> {
> struct pci_dev *d = pci_malloc(a, sizeof(struct pci_dev));
> memset(d, 0, sizeof(*d));
The memset will segfault if pci_malloc failed.
lib/access.c:
> struct pci_dev *
> pci_get_dev(struct pci_access *a, int domain, int bus, int dev, int func)
> {
> struct pci_dev *d = pci_alloc_dev(a);
> d->domain = domain;
The d->domain assignment will segfault if pci_alloc_dev failed.
lspci.c:
> int
> main(int argc, char **argv)
> {
> ...
> pacc = pci_alloc();
> pacc->error = die;
The pacc->error assignment will segfault if pci_alloc failed.
There are probably some tools out there which can check the whole
codebase for these cases, but as long as I'm not sure if the code uses
hidden magic or not, I'll refrain from sending patches.
Regards,
Carl-Daniel
--
http://www.hailfinger.org/
--
To unsubscribe from this list: send the line "unsubscribe linux-pci" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
