Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 27 Jan 2026 16:47:50 +0000
From:      Bojan Novk=?utf-8?Q?ovi=C4=87?= <bnovkov@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 4bcc5a3cdc05 - main - btree/bt_seq.c: Fix two NULL pointer dereferences
Message-ID:  <6978ec36.3c4d0.2698757a@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch main has been updated by bnovkov:

URL: https://cgit.FreeBSD.org/src/commit/?id=4bcc5a3cdc05f217a8adf2f5f97a2e922663f741

commit 4bcc5a3cdc05f217a8adf2f5f97a2e922663f741
Author:     Bojan Novković <bnovkov@FreeBSD.org>
AuthorDate: 2026-01-27 15:13:13 +0000
Commit:     Bojan Novković <bnovkov@FreeBSD.org>
CommitDate: 2026-01-27 16:47:23 +0000

    btree/bt_seq.c: Fix two NULL pointer dereferences
    
    This change fixes two NULL pointer dereferences caused by the
    __bt_first function.
    
    The first was caused by returning 0 (i.e., RET_SUCCESS) when a key
    was not found, causing the caller to dereference an uninitalized
    or NULL pointer. The second one was caused by an if statment clobbering
    a local variable with a function call result that might be NULL.
    
    Reported by:    clang-tidy
    Sponsored by:   Klara, Inc.
    Reviewed by:    markj
    Obtained from:  https://github.com/apple-oss-distributions/libc (partially)
    Differential Revision:  https://reviews.freebsd.org/D54905
---
 lib/libc/db/btree/bt_seq.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/libc/db/btree/bt_seq.c b/lib/libc/db/btree/bt_seq.c
index 2562724faf33..fc7fa693b747 100644
--- a/lib/libc/db/btree/bt_seq.c
+++ b/lib/libc/db/btree/bt_seq.c
@@ -325,7 +325,7 @@ usecurrent:		F_CLR(c, CURS_AFTER | CURS_BEFORE);
 static int
 __bt_first(BTREE *t, const DBT *key, EPG *erval, int *exactp)
 {
-	PAGE *h;
+	PAGE *h, *hprev;
 	EPG *ep, save;
 	pgno_t pg;
 
@@ -338,7 +338,7 @@ __bt_first(BTREE *t, const DBT *key, EPG *erval, int *exactp)
 	 * page) and return it.
 	 */
 	if ((ep = __bt_search(t, key, exactp)) == NULL)
-		return (0);
+		return (RET_SPECIAL);
 	if (*exactp) {
 		if (F_ISSET(t, B_NODUPS)) {
 			*erval = *ep;
@@ -369,14 +369,14 @@ __bt_first(BTREE *t, const DBT *key, EPG *erval, int *exactp)
 					break;
 				if (h->pgno != save.page->pgno)
 					mpool_put(t->bt_mp, h, 0);
-				if ((h = mpool_get(t->bt_mp,
+				if ((hprev = mpool_get(t->bt_mp,
 				    h->prevpg, 0)) == NULL) {
 					if (h->pgno == save.page->pgno)
 						mpool_put(t->bt_mp,
 						    save.page, 0);
 					return (RET_ERROR);
 				}
-				ep->page = h;
+				ep->page = h = hprev;
 				ep->index = NEXTINDEX(h);
 			}
 			--ep->index;
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6978ec36.3c4d0.2698757a>