Custom Query (16363 matches)
Results (1732 - 1734 of 16363)
| Ticket | Resolution | Summary | Owner | Reporter |
|---|---|---|---|---|
| #16837 | invalid | sf_path_from_dentry: null pointer deference on failed kmalloc allocation | ||
| Description |
Function sf_path_from_dentry in src/VBox/Additions/linux/sharedfolders/utils.c is allocating a buffer using kmalloc but it does not check if the allocation failed: out_bound_len = PATH_MAX;
out = kmalloc(out_bound_len, GFP_KERNEL);
name = out;
..and later it is dereferenced leading to a potential NULL pointer dereference crash. LogFunc(("result(%d) = %.*s\n", len, len, name));
*out = 0;
I suggest that the kmalloc failure case needs to be handled correctly. |
|||
| #16836 | fixed | sf_unlink_aux: potential null pointer dereference on dentry | ||
| Description |
Function sf_unlink_aux() in vboxsf/dirops.c performs a dereference on dentry with the following call: err = sf_path_from_dentry(__func__, sf_g, sf_i, dentry, &path); However, a few statements later dentry is being checked to see if it is a NULL pointer: if ( dentry
&& dentry->d_inode
&& ((dentry->d_inode->i_mode & S_IFLNK) == S_IFLNK))
fFlags |= SHFL_REMOVE_SYMLINK;
Either that null pointer check is redundant or it dentry really could be NULL, in which case the earlier call to sf_path_from_dentry with a null dentry can trip a null pointer deference bug on dentry. Anyhow, the current code looks suspect and should be fixed. |
|||
| #16834 | invalid | VGDrvCommonIoCtl may be potentially dereferencing a null pointer on pcbDataReturned | ||
| Description |
Function VGDrvCommonIoCtl in src/VBox/Additions/common/VBoxGuest/VBoxGuest.cpp is checking to see if pcbDataReturned is NULL and then setting it to zero, thus the code assumes there is a potential for the pointer to be NULL. However, later in the function we have: case VBOXGUEST_IOCTL_GUEST_CAPS_ACQUIRE:
CHECKRET_SIZE("GUEST_CAPS_ACQUIRE", sizeof(VBoxGuestCapsAquire));
rc = vgdrvIoCtl_GuestCapsAcquire(pDevExt, pSession, (VBoxGuestCapsAquire *)pvData);
*pcbDataReturned = sizeof(VBoxGuestCapsAquire);
break;
and this dereferencing the pointer that could potentially be zero. |
|||

