On Sun, 2017-04-23 at 16:00 +0800, PanBian wrote: > On Sun, Apr 23, 2017 at 12:17:16AM -0700, Joe Perches wrote: > > On Sun, 2017-04-23 at 15:09 +0800, Pan Bian wrote: > > > Function nlmsg_new() will return a NULL pointer if there is no enough > > > memory, and its return value should be checked before it is used. > > > However, in function tipc_nl_node_get_monitor(), the validation of the > > > return value of function nlmsg_new() is missed. This patch fixes the > > > bug. > > > > Hello. > > > > Thanks for the patches. > > > > Are you finding these via a tool or inspection? > > > > If a tool is being used, could you please describe it? > > > > Yes. I developed a tool to find this kind of bugs. > > The detecting idea is simple. In large systems like the Linux kernel, > most implementations are correct, and incorrect ones are rare. Based on > this observation, we take programs that have different implementations > with others as bugs. For example, in most cases, the return vlaue of > nlmsg_new() is validated and it will not be passed to genlmsg_reply() if > its value is NULL. However, in function tipc_nl_node_get_monitor(), the > validation is missing. The abnormal behavior leads us to believe that > there is a bug.
Perhaps adding __must_check to some of the appropriate function declarations/prototypes would help avoid new future misuses.
