Date: Wed, 22 May 2019 08:16:17 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 238043] Null pointer deference in function xdr_rpcb_entry_list_ptr of sys/rpc/rpcb_prot.c Message-ID: <bug-238043-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238043 Bug ID: 238043 Summary: Null pointer deference in function xdr_rpcb_entry_list_ptr of sys/rpc/rpcb_prot.c Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: yangx92@hotmail.com Created attachment 204534 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D204534&action= =3Dedit Proposed patch There is a null pointer deference vulnerability in function xdr_rpcb_entry_list_ptr of sys/rpc/rpcb_prot.c. 01 if (freeing) 02 next =3D (*rp)->rpcb_entry_next; 03 if (! xdr_reference(xdrs, (caddr_t *)rp, 04 (u_int)sizeof (rpcb_entry_list), 05 (xdrproc_t)xdr_rpcb_entry)) { 06 return (FALSE); 07 } 08 if (freeing && *rp) { 09 next_copy =3D next; 10 rp =3D &next_copy; 11 /* 12 * Note that in the subsequent iteration, next_co= py 13 * gets nulled out by the xdr_reference 14 * but next itself survives. 15 */ 16 } else if (*rp) { 17 rp =3D &((*rp)->rpcb_entry_next); 18 } There is an access of rp in line2 and no access in line 9 and line 10. Therefore, we should change condition in line1 to line 8, and change condit= ion line 8 to line1. The attachment is the proposed patch. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-238043-227>