NULL pointer dereference in _lx_nand_flash_open #45
Description
If you call _lx_nand_flash_open twice in a row (without calling _lx_nand_flash_close in between), there is a NULL pointer dereference on line 508:
/* Place the NAND flash control block on the list of opened NAND flashes. First,
check for an empty list. */
if (_lx_nand_flash_opened_count)
{
/* List is not empty - other NAND flashes are open. */
/* Pickup tail pointer. */
tail_ptr = _lx_nand_flash_opened_ptr -> lx_nand_flash_open_previous;
/* Place the new NAND flash control block in the list. */
_lx_nand_flash_opened_ptr -> lx_nand_flash_open_previous = nand_flash;
tail_ptr -> lx_nand_flash_open_next = nand_flash; <---- NULL pointer dereference here
/* Setup this NAND flash's opened links. */
nand_flash -> lx_nand_flash_open_previous = tail_ptr;
nand_flash -> lx_nand_flash_open_next = _lx_nand_flash_opened_ptr;
}
This is because the LX_NAND_FLASH control block is zeroed out at the top of the function.