Page 1 of 1

Segfault due to nullpointer dereferencing

Posted: 16 Jul 2015, 23:39
by pmarcelll
usb_modeswitch was recently updated on Arch Linux along with ModemManager/NetworkManager and I wanted to try my USB 3G modem, see if it works (there is an unrelated bug in NetworkManager). I plugged it in and nothing happened. I checked the system log an it said usb_modeswithch crashed. I downloaded the source and checked with the Clang Static Analyzer.

Here's the output:
$ scan-build make
scan-build: Using '/usr/bin/clang' for static analysis
/usr/lib/clang-analyzer/scan-build/ccc-analyzer -o usb_modeswitch usb_modeswitch.c -Wall `pkg-config --libs --cflags libusb-1.0`
usb_modeswitch.c:901:2: warning: Value stored to 'i' is never read
i = usb_bulk_io(devh, ResponseEndpoint, command, 13, 0);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
usb_modeswitch.c:1815:16: warning: Access to field 'bNumInterfaces' results in a dereference of a null pointer (loaded from variable 'active_config')
for (j=0; j < active_config->bNumInterfaces; j++) {
usb_modeswitch.c:1836:10: warning: The left operand of '<' is a garbage value
if (ret < 0) {
~~~ ^
3 warnings generated.

The I compiled a debug build and confirmed that the problem is indeed dereferencing a null pointer at usb_modeswitch.c:1815.
I looked at the source code, and found the cause of the problem:
active_config is set to NULL at usb_modeswitch.c:567, but a few lines later find_first_bulk_endpoint() is called.

Re: Segfault due to nullpointer dereferencing

Posted: 16 Jul 2015, 23:56
by Josh
I have just released version 2.2.5 which fixes that stupid bug and others. ... .5.tar.bz2