From 1ab8245a3b7a9d1c9ac07c001bd7c3cff3d278fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fl=C3=A1vio=20J=2E=20Saraiva?= <flaviojs2005@gmail.com>
Date: Thu, 4 Apr 2024 05:47:43 +0100
Subject: [PATCH] Fix NULL dereferences from NULL dyn_sprintf values.

Some memory leaks were also fixed.

Fixes #120
---
 common/dev_c7200_pos.c | 48 +++++++++++++++++++++++++++++++++++-------
 common/dev_pa_mc8te1.c | 26 +++++++++++++++++------
 2 files changed, 59 insertions(+), 15 deletions(-)

diff --git a/common/dev_c7200_pos.c b/common/dev_c7200_pos.c
index 1a93b573e..fcab240d9 100644
--- a/common/dev_c7200_pos.c
+++ b/common/dev_c7200_pos.c
@@ -690,34 +690,46 @@ int dev_c7200_pa_pos_init(vm_instance_t *vm,struct cisco_card *card)
    c7200_set_slot_eeprom(VM_C7200(vm),slot,&card->eeprom);
 
    /* Initialize RX device */
-   d->rx_name = dyn_sprintf("%s_RX",card->dev_name);
+   if (!(d->rx_name = dyn_sprintf("%s_RX",card->dev_name))) {
+      goto err_rx_name;
+   }
    dev_init(&d->rx_dev);
    d->rx_dev.name      = d->rx_name;
    d->rx_dev.priv_data = d;
    d->rx_dev.handler   = dev_pos_rx_access;
 
    /* Initialize TX device */
-   d->tx_name = dyn_sprintf("%s_TX",card->dev_name);
+   if (!(d->tx_name = dyn_sprintf("%s_TX",card->dev_name))) {
+      goto err_tx_name;
+   }
    dev_init(&d->tx_dev);
    d->tx_dev.name      = d->tx_name;
    d->tx_dev.priv_data = d;
    d->tx_dev.handler   = dev_pos_tx_access;
 
    /* Initialize CS device */
-   d->cs_name = dyn_sprintf("%s_CS",card->dev_name);
+   if (!(d->cs_name = dyn_sprintf("%s_CS",card->dev_name))) {
+      goto err_cs_name;
+   }
    dev_init(&d->cs_dev);
    d->cs_dev.name      = d->cs_name;
    d->cs_dev.priv_data = d;
    d->cs_dev.handler   = dev_pos_cs_access;
 
    /* Initialize PLX9060 for RX part */
-   d->rx_obj = dev_plx9060_init(vm,d->rx_name,card->pci_bus,0,&d->rx_dev);
+   if (!(d->rx_obj = dev_plx9060_init(vm,d->rx_name,card->pci_bus,0,&d->rx_dev))) {
+      goto err_rx_obj;
+   }
 
    /* Initialize PLX9060 for TX part */
-   d->tx_obj = dev_plx9060_init(vm,d->tx_name,card->pci_bus,1,&d->tx_dev);
+   if (!(d->tx_obj = dev_plx9060_init(vm,d->tx_name,card->pci_bus,1,&d->tx_dev))) {
+      goto err_tx_obj;
+   }
 
    /* Initialize PLX9060 for CS part (CS=card status, chip status, ... ?) */
-   d->cs_obj = dev_plx9060_init(vm,d->cs_name,card->pci_bus,2,&d->cs_dev);
+   if (!(d->cs_obj = dev_plx9060_init(vm,d->cs_name,card->pci_bus,2,&d->cs_dev))) {
+      goto err_cs_obj;
+   }
 
    /* Unknown PCI device here (will be mapped at 0x30000) */
    dev_init(&d->dev);
@@ -726,13 +738,33 @@ int dev_c7200_pa_pos_init(vm_instance_t *vm,struct cisco_card *card)
    d->dev.phys_len  = 0x10000;
    d->dev.handler   = dev_pos_access;
 
-   d->pci_dev = pci_dev_add(card->pci_bus,card->dev_name,0,0,3,0,
+   if (!(d->pci_dev = pci_dev_add(card->pci_bus,card->dev_name,0,0,3,0,
                             c7200_net_irq_for_slot_port(slot,0),
-                            d,NULL,pci_pos_read,pci_pos_write);
+                            d,NULL,pci_pos_read,pci_pos_write))) {
+      goto err_pci_dev;
+   }
 
    /* Store device info into the router structure */
    card->drv_info = d;
    return(0);
+
+err_pci_dev:
+   vm_object_remove(vm, d->cs_obj);
+err_cs_obj:
+   vm_object_remove(vm, d->tx_obj);
+err_tx_obj:
+   vm_object_remove(vm, d->rx_obj);
+err_rx_obj:
+   free(d->cs_name);
+err_cs_name:
+   free(d->tx_name);
+err_tx_name:
+   free(d->rx_name);
+err_rx_name:
+   cisco_card_unset_eeprom(card);
+   c7200_set_slot_eeprom(VM_C7200(vm),slot,NULL);
+   free(d);
+   return(-1);
 }
 
 /* Remove a PA-POS-OC3 from the specified slot */
diff --git a/common/dev_pa_mc8te1.c b/common/dev_pa_mc8te1.c
index a0b0da7a4..0113df956 100644
--- a/common/dev_pa_mc8te1.c
+++ b/common/dev_pa_mc8te1.c
@@ -257,20 +257,22 @@ int dev_c7200_pa_mc8te1_init(vm_instance_t *vm,struct cisco_card *card)
                             NULL,pci_pos_read,pci_pos_write);
 
    /* Initialize SSRAM device */
-   d->ssram_name = dyn_sprintf("%s_ssram",card->dev_name);
+   if (!(d->ssram_name = dyn_sprintf("%s_ssram",card->dev_name))) {
+      goto err_ssram_name;
+   }
    dev_init(&d->ssram_dev);
    d->ssram_dev.name      = d->ssram_name;
    d->ssram_dev.priv_data = d;
    d->ssram_dev.handler   = dev_ssram_access;
 
    /* Create the PLX9054 */
-   d->plx_name = dyn_sprintf("%s_plx",card->dev_name);
-   d->plx_obj = dev_plx9054_init(vm,d->plx_name,
+   if (!(d->plx_name = dyn_sprintf("%s_plx",card->dev_name))) {
+      goto err_plx_name;
+   }
+   if (!(d->plx_obj = dev_plx9054_init(vm,d->plx_name,
                                  card->pci_bus,1,
-                                 &d->ssram_dev,NULL);
-   if (d->plx_obj == NULL) {
-      dev_c7200_pa_mc8te1_shutdown(vm, card);
-      return(-1);
+                                 &d->ssram_dev,NULL))) {
+      goto err_plx_obj;
    }
 
    /* Set callback function for PLX9054 PCI-To-Local doorbell */
@@ -282,6 +284,16 @@ int dev_c7200_pa_mc8te1_init(vm_instance_t *vm,struct cisco_card *card)
    /* Store device info into the router structure */
    card->drv_info = d;
    return(0);
+
+err_plx_obj:
+   free(d->plx_name);
+err_plx_name:
+   free(d->ssram_name);
+err_ssram_name:
+   cisco_card_unset_eeprom(card);
+   c7200_set_slot_eeprom(VM_C7200(vm),slot,NULL);
+   free(d);
+   return(-1);
 }
 
 /* Remove a PA-POS-OC3 from the specified slot */