The C Source, Patches and (shudder!) Bugs
Post Reply
pmarcelll
Posts: 1
Joined: Thu Jul 16, 2015 11:12 pm

Segfault due to nullpointer dereferencing

Post by pmarcelll » Thu Jul 16, 2015 11:39 pm

usb_modeswitch was recently updated on Arch Linux along with ModemManager/NetworkManager and I wanted to try my USB 3G modem, see if it works (there is an unrelated bug in NetworkManager). I plugged it in and nothing happened. I checked the system log an it said usb_modeswithch crashed. I downloaded the source and checked with the Clang Static Analyzer.

Here's the output:
$ scan-build make
scan-build: Using '/usr/bin/clang' for static analysis
/usr/lib/clang-analyzer/scan-build/ccc-analyzer -o usb_modeswitch usb_modeswitch.c -Wall `pkg-config --libs --cflags libusb-1.0`
usb_modeswitch.c:901:2: warning: Value stored to 'i' is never read
i = usb_bulk_io(devh, ResponseEndpoint, command, 13, 0);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
usb_modeswitch.c:1815:16: warning: Access to field 'bNumInterfaces' results in a dereference of a null pointer (loaded from variable 'active_config')
for (j=0; j < active_config->bNumInterfaces; j++) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
usb_modeswitch.c:1836:10: warning: The left operand of '<' is a garbage value
if (ret < 0) {
~~~ ^
3 warnings generated.

The I compiled a debug build and confirmed that the problem is indeed dereferencing a null pointer at usb_modeswitch.c:1815.
I looked at the source code, and found the cause of the problem:
active_config is set to NULL at usb_modeswitch.c:567, but a few lines later find_first_bulk_endpoint() is called.

Josh
Site Admin
Posts: 6534
Joined: Sat Nov 03, 2007 12:30 am

Re: Segfault due to nullpointer dereferencing

Post by Josh » Thu Jul 16, 2015 11:56 pm

Thanks!
I have just released version 2.2.5 which fixes that stupid bug and others.

http://www.draisberghof.de/usb_modeswit ... .5.tar.bz2

Post Reply