ARMmbed
/
mbed-os
mirror of https://github.com/ARMmbed/mbed-os.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix null pointer dereferencing 

Add null check for return values of functions that are mostly (but not
always) checked for null.
E.g., since 98% of calls to protocol_stack_interface_info_get_by_id
check for null, it is likely that the function can return null values in
some cases, and omitting the check could crash the program.
pull/15406/head
Mingjie Shen 2023-04-20 00:54:47 -04:00
parent d0ca14e4fe
commit 378f2f579d
11 changed files with 43 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/stack/att/att_eatt.c
View File

@ -267,7 +267,7 @@ static uint8_t eattL2cCocAcceptCback(dmConnId_t connId, uint8_t numChans)
{
eattConnCb_t *pCcb = eattGetConnCb(connId);
if ((pCcb->state == EATT_CONN_STATE_INITIATING) || (pCcb->state == EATT_CONN_STATE_RECONFIG))
if (!pCcb || (pCcb->state == EATT_CONN_STATE_INITIATING) || (pCcb->state == EATT_CONN_STATE_RECONFIG))
{
// Reject all requests while busy connecting and configuring channels
return 0;
@ -348,6 +348,10 @@ static void eattReqNextChannels(dmConnId_t connId)
eattConnCb_t *pConnCb = eattGetConnCb(connId);
uint8_t numChans = pEattCfg->numChans - EattGetNumChannelsInUse(connId);
if (!pConnCb) {
return;
}
numChans = (numChans > L2C_MAX_EN_CHAN) ? L2C_MAX_EN_CHAN : numChans;
EATT_TRACE_INFO1("eattReqNextChannels: numChans: %d", numChans);
@ -783,7 +787,7 @@ static void eattDmCback(dmEvt_t *pDmEvt)
* \param connId DM channel ID.
* \param slot EATT slot.
*
* \return None
* \return L2CAP channel identifier.
*/
/*************************************************************************************************/
uint16_t eattGetCid(dmConnId_t connId, uint8_t slot)
@ -795,6 +799,7 @@ uint16_t eattGetCid(dmConnId_t connId, uint8_t slot)
else
{
eattConnCb_t *pCcb = eattGetConnCb(connId);
WSF_ASSERT(pCcb);
return pCcb->pChanCb[slot-1].cid;
}
}

8
connectivity/FEATURE_BLE/source/generic/SecurityDb.cpp
View File

@ -63,10 +63,18 @@ void SecurityDb::get_entry_local_keys(
/* set flags connected */
SecurityDistributionFlags_t* flags = get_distribution_flags(correct_handle);
if (!flags) {
cb(*db_handle, NULL);
return;
}
flags->connected = true;
/* update peer address */
SecurityDistributionFlags_t* old_flags = get_distribution_flags(*db_handle);
if (!old_flags) {
cb(*db_handle, NULL);
return;
}
flags->peer_address = old_flags->peer_address;
flags->peer_address_is_public = old_flags->peer_address_is_public;

3
connectivity/FEATURE_BLE/source/generic/SecurityManagerImpl.cpp
View File

@ -1661,6 +1661,9 @@ void SecurityManager::on_connected(
cb->db_entry = _db->open_entry(peer_address_type, peer_address);
SecurityDistributionFlags_t* flags = _db->get_distribution_flags(cb->db_entry);
if (!flags) {
return;
}
flags->peer_address = peer_address;
flags->peer_address_is_public =

2
connectivity/nanostack/coap-service/source/coap_connection_handler.c
View File

@ -480,7 +480,7 @@ static int secure_session_recvfrom(int8_t socket_id, unsigned char *buf, size_t
{
(void)len;
internal_socket_t *sock = int_socket_find_by_socket_id(socket_id);
if (sock->data && sock->data_len > 0) {
if (sock && sock->data && sock->data_len > 0) {
memcpy(buf, sock->data, sock->data_len);
int l = sock->data_len;
ns_dyn_mem_free(sock->data);

3
connectivity/nanostack/mbed-mesh-api/source/thread_tasklet.c
View File

@ -238,6 +238,9 @@ void thread_tasklet_poll_network_status(void *param)
} else {
memcpy(thread_tasklet_data_ptr->ip, temp_ipv6, 16);
link_configuration_s *link_cfg = thread_management_configuration_get(thread_tasklet_data_ptr->nwk_if_id);
if (!link_cfg) {
return;
}
if (memcmp(thread_tasklet_data_ptr->ip, link_cfg->mesh_local_ula_prefix, 8) == 0) {
thread_tasklet_network_state_changed(MESH_CONNECTED_LOCAL);
} else {

3
connectivity/nanostack/sal-stack-nanostack/source/6LoWPAN/Thread/thread_bbr_api.c
View File

@ -682,6 +682,9 @@ static void thread_bbr_status_check(thread_bbr_t *this, uint32_t seconds)
}
// Check if network data as border router is possible or modified
protocol_interface_info_entry_t *cur = protocol_stack_interface_info_get_by_id(this->interface_id);
if (!cur) {
return;
}
this->br_hosted = thread_bbr_i_host_prefix(cur, bbr_prefix_ptr, &this->br_count, &br_lowest_host);
if (!this->br_info_published && bbr_prefix_ptr && this->br_count == 0) {

5
connectivity/nanostack/sal-stack-nanostack/source/6LoWPAN/Thread/thread_bbr_commercial.c
View File

@ -545,6 +545,9 @@ static int thread_pbbr_bb_qry_cb(int8_t service_id, uint8_t source_address[16],
// Test code for b/ba response override
if (ba_response_status_count) {
device_configuration_s *device_config = thread_joiner_application_get_device_config(this->interface_id);
if (!device_config) {
return -1;
}
ml_eid_ptr = device_config->eui64;
last_transaction_time = protocol_core_monotonic_time;
ba_response_status_count--;
@ -617,7 +620,7 @@ static int thread_pbbr_dua_duplicate_address_detection(int8_t service_id, uint8_
protocol_interface_info_entry_t *cur = protocol_stack_interface_info_get_by_id(this->interface_id);
duplicate_dua_tr_t *tr_ptr = thread_border_router_dup_tr_find(this->interface_id, addr_data_ptr);
if (!tr_ptr) {
if (!cur || !tr_ptr) {
return -1;
}

5
connectivity/nanostack/sal-stack-nanostack/source/6LoWPAN/Thread/thread_ccm.c
View File

@ -756,6 +756,11 @@ static int thread_ccm_reenroll_registrar_addr_resp_cb(int8_t service_id, uint8_t
return -1;
}
if (!cur) {
tr_debug("Protocol stack interface info get failed");
return -1;
}
if (!thread_meshcop_tlv_find(response_ptr->payload_ptr, response_ptr->payload_len, MESHCOP_TLV_REGISTRAR_IPV6_ADDRESS, &addr_ptr)) {
tr_debug("Registrar addr get failed");
return -1;

6
connectivity/nanostack/sal-stack-nanostack/source/6LoWPAN/Thread/thread_common.c
View File

@ -751,8 +751,10 @@ void thread_child_id_request_info_init(thread_pending_child_id_req_t *child_info
thread_pending_child_id_req_t *thread_child_id_request_allocate(void)
{
thread_pending_child_id_req_t *req = ns_dyn_mem_alloc(sizeof(thread_pending_child_id_req_t));
memset(req->eiid, 0, 8);
thread_child_id_request_info_init(req);
if (req) {
memset(req->eiid, 0, 8);
thread_child_id_request_info_init(req);
}
return req;
}

4
connectivity/nanostack/sal-stack-nanostack/source/6LoWPAN/Thread/thread_joiner_application.c
View File

@ -719,8 +719,9 @@ static void configuration_set_copy_mandatory(configuration_set_t *destination_pt
static void configuration_set_generate(int8_t interface_id, configuration_set_t *destination_ptr, link_configuration_s *configuration_ptr)
{
uint8_t *response_ptr;
protocol_interface_info_entry_t *cur = protocol_stack_interface_info_get_by_id(interface_id);
if (!destination_ptr || !configuration_ptr) {
if (!destination_ptr || !configuration_ptr || !cur) {
return;
}
response_ptr = destination_ptr->data;
@ -739,7 +740,6 @@ static void configuration_set_generate(int8_t interface_id, configuration_set_t
response_ptr = thread_tmfcop_tlv_data_write(response_ptr, MESHCOP_TLV_PSKC, 16, configuration_ptr->PSKc);
response_ptr = thread_tmfcop_tlv_data_write(response_ptr, MESHCOP_TLV_NETWORK_NAME, stringlen((char *)&configuration_ptr->name, 16), configuration_ptr->name);
*response_ptr++ = MESHCOP_TLV_SECURITY_POLICY; // type
protocol_interface_info_entry_t *cur = protocol_stack_interface_info_get_by_id(interface_id);
if (thread_info(cur)->version >= THREAD_VERSION_1_2) {
*response_ptr++ = 4; // length
response_ptr = common_write_16_bit(configuration_ptr->key_rotation, response_ptr);

3
connectivity/nanostack/sal-stack-nanostack/source/6LoWPAN/ws/ws_pae_auth.c
View File

@ -1057,6 +1057,9 @@ static int8_t ws_pae_auth_timer_if_stop(kmp_service_t *service, kmp_api_t *kmp)
(void) service;
supp_entry_t *supp_entry = kmp_api_data_get(kmp);
if (!supp_entry) {
return -1;
}
kmp_entry_t *entry = ws_pae_lib_kmp_list_entry_get(&supp_entry->kmp_list, kmp);
if (!entry) {