Print this page
10092 sysevent_evc_control() dereferences pointer before checking for NULL
*** 21,30 ****
--- 21,34 ----
/*
* Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
*/
/*
+ * Copyright (c) 2018, Joyent, Inc.
+ */
+
+ /*
* This file contains the source of the general purpose event channel extension
* to the sysevent framework. This implementation is made up mainly of four
* layers of functionality: the event queues (evch_evq_*()), the handling of
* channels (evch_ch*()), the kernel interface (sysevent_evc_*()) and the
* interface for the sysevent pseudo driver (evch_usr*()).
*** 1974,1993 ****
int
sysevent_evc_control(evchan_t *scp, int cmd, ...)
{
va_list ap;
! evch_chan_t *chp = ((evch_bind_t *)scp)->bd_channel;
uint32_t *chlenp;
uint32_t chlen;
uint32_t ochlen;
int rc = 0;
if (scp == NULL) {
return (EINVAL);
}
va_start(ap, cmd);
mutex_enter(&chp->ch_mutex);
switch (cmd) {
case EVCH_GET_CHAN_LEN:
chlenp = va_arg(ap, uint32_t *);
--- 1978,1999 ----
int
sysevent_evc_control(evchan_t *scp, int cmd, ...)
{
va_list ap;
! evch_chan_t *chp;
uint32_t *chlenp;
uint32_t chlen;
uint32_t ochlen;
int rc = 0;
if (scp == NULL) {
return (EINVAL);
}
+ chp = ((evch_bind_t *)scp)->bd_channel;
+
va_start(ap, cmd);
mutex_enter(&chp->ch_mutex);
switch (cmd) {
case EVCH_GET_CHAN_LEN:
chlenp = va_arg(ap, uint32_t *);