Print this page
10092 sysevent_evc_control() dereferences pointer before checking for NULL

Split Close
Expand all
Collapse all
          --- old/usr/src/uts/common/os/evchannels.c
          +++ new/usr/src/uts/common/os/evchannels.c
↓ open down ↓ 15 lines elided ↑ open up ↑
  16   16   * fields enclosed by brackets "[]" replaced with your own identifying
  17   17   * information: Portions Copyright [yyyy] [name of copyright owner]
  18   18   *
  19   19   * CDDL HEADER END
  20   20   */
  21   21  /*
  22   22   * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  23   23   */
  24   24  
  25   25  /*
       26 + * Copyright (c) 2018, Joyent, Inc.
       27 + */
       28 +
       29 +/*
  26   30   * This file contains the source of the general purpose event channel extension
  27   31   * to the sysevent framework. This implementation is made up mainly of four
  28   32   * layers of functionality: the event queues (evch_evq_*()), the handling of
  29   33   * channels (evch_ch*()), the kernel interface (sysevent_evc_*()) and the
  30   34   * interface for the sysevent pseudo driver (evch_usr*()).
  31   35   * Libsysevent.so uses the pseudo driver sysevent's ioctl to access the event
  32   36   * channel extensions. The driver in turn uses the evch_usr*() functions below.
  33   37   *
  34   38   * The interfaces for user land and kernel are declared in sys/sysevent.h
  35   39   * Internal data structures for event channels are defined in
↓ open down ↓ 1933 lines elided ↑ open up ↑
1969 1973                  evp->seh_attr_off = attr_offset;
1970 1974                  SE_FLAG(evp) = SE_PACKED_BUF;
1971 1975          }
1972 1976          return (evch_chpublish((evch_bind_t *)scp, evp, flags));
1973 1977  }
1974 1978  
1975 1979  int
1976 1980  sysevent_evc_control(evchan_t *scp, int cmd, ...)
1977 1981  {
1978 1982          va_list         ap;
1979      -        evch_chan_t     *chp = ((evch_bind_t *)scp)->bd_channel;
     1983 +        evch_chan_t     *chp;
1980 1984          uint32_t        *chlenp;
1981 1985          uint32_t        chlen;
1982 1986          uint32_t        ochlen;
1983 1987          int             rc = 0;
1984 1988  
1985 1989          if (scp == NULL) {
1986 1990                  return (EINVAL);
1987 1991          }
1988 1992  
     1993 +        chp = ((evch_bind_t *)scp)->bd_channel;
     1994 +
1989 1995          va_start(ap, cmd);
1990 1996          mutex_enter(&chp->ch_mutex);
1991 1997          switch (cmd) {
1992 1998          case EVCH_GET_CHAN_LEN:
1993 1999                  chlenp = va_arg(ap, uint32_t *);
1994 2000                  *chlenp = chp->ch_maxev;
1995 2001                  break;
1996 2002          case EVCH_SET_CHAN_LEN:
1997 2003                  chlen = va_arg(ap, uint32_t);
1998 2004                  ochlen = chp->ch_maxev;
↓ open down ↓ 346 lines elided ↑ open up ↑
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX