[patch] Null-pointer dereference in fragpool

[GoogleCodeExporter]

Alright, this one was a ***** to find. Someone owes us a pizza I think! ;)

Under very specific conditions and usage of the PPP fragpool, it's possible to 
run into a null-pointer dereference. The code at first and second glance looks 
fine as the first thing it does is testing the pointer for null. It's only 
after parsing three nested parenthesis it becomes clear that that check is not 
sufficient.

As a result of the null-pointer dereference we can then end up with a negative 
value in bsp->length which propagates out and causes all sorts of "fun".

The attached patch:
a) Fixes the null pointer deref.
b) Restructures that logical expression to be far more readable (and hence 
maintainable).
c) Defensively tests for negative length values. This should not be needed at 
this stage, but if there ever is a regression in this area it should at least 
behave sanely and consistently now.

Note: this patch might not apply fully cleanly as we've done a bit of 
refactoring and reliability-improvements in this area too. As such the diff 
offsets might not line up properly. Apologies for any inconvenience. We'll 
submit the other changes once we're satisfied we have no regressions there and 
it performs as expected.

Original issue reported on code.google.com by jmatts...@dius.com.au on 10 Oct 2011 at 12:52

Attachments:

• tinyos-fragpool-nullpointer-deref.patch

[GoogleCodeExporter]

Original comment by philip.l...@gmail.com on 14 Oct 2011 at 9:17

[GoogleCodeExporter]

Fixed in r5775.

Nice catch.  I fixed this with a simpler test that uses a temporary variable; 
it's 20 bytes shorter than the original and, I believe, more obviously correct.

Original comment by pabi...@gmail.com on 14 Oct 2011 at 10:28

• Changed state: Fixed