As I am facing issues with in the field systems, I am rechecking code with updated static analysis tools.
In the following code from Components/stack/zdo/ZDProfile.c, dstAddr is potentially null (there i a test for it).
When it is null, then fillAndSend is called where the null pointer is dereferenced through the ZADDR_TO_AFADDR macro.
afStatus_t ZDP_MgmtPermitJoinReq( zAddrType_t *dstAddr, byte duration,
byte TcSignificance, byte SecurityEnable )
{
(void)SecurityEnable; // Intentionally unreferenced parameter
// Build buffer
ZDP_TmpBuf[ZDP_MGMT_PERMIT_JOIN_REQ_DURATION] = duration;
ZDP_TmpBuf[ZDP_MGMT_PERMIT_JOIN_REQ_TC_SIG] = TcSignificance;
// Check of this is a broadcast message
if ( (dstAddr) && ((dstAddr->addrMode == Addr16Bit) || (dstAddr->addrMode == AddrBroadcast))
&& ((dstAddr->addr.shortAddr == NWK_BROADCAST_SHORTADDR_DEVALL)
|| (dstAddr->addr.shortAddr == NWK_BROADCAST_SHORTADDR_DEVZCZR)
|| (dstAddr->addr.shortAddr == NWK_BROADCAST_SHORTADDR_DEVRXON)) )
{
// Send this to our self as well as broadcast to network
zAddrType_t tmpAddr;
tmpAddr.addrMode = Addr16Bit;
tmpAddr.addr.shortAddr = NLME_GetShortAddr();
fillAndSend( &ZDP_TransID, &tmpAddr, Mgmt_Permit_Join_req,
ZDP_MGMT_PERMIT_JOIN_REQ_SIZE );
}
// Send the message
return fillAndSend( &ZDP_TransID, dstAddr, Mgmt_Permit_Join_req,
ZDP_MGMT_PERMIT_JOIN_REQ_SIZE );
}
What is the proper implementation there?
