[Bug 238043] Null pointer deference in function xdr_rpcb_entry_list_ptr of sys/rpc/rpcb_prot.c

Wed May 22 08:16:21 UTC 2019

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238043

            Bug ID: 238043
           Summary: Null pointer deference in function
                    xdr_rpcb_entry_list_ptr of sys/rpc/rpcb_prot.c
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: yangx92 at hotmail.com

Created attachment 204534
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=204534&action=edit
Proposed patch

There is a null pointer deference vulnerability in function
xdr_rpcb_entry_list_ptr of sys/rpc/rpcb_prot.c.

01                if (freeing)
02                        next = (*rp)->rpcb_entry_next;
03                if (! xdr_reference(xdrs, (caddr_t *)rp,
04                    (u_int)sizeof (rpcb_entry_list),
05                                    (xdrproc_t)xdr_rpcb_entry)) {
06                        return (FALSE);
07                }
08                if (freeing && *rp) {
09                        next_copy = next;
10                        rp = &next_copy;
11                        /*
12                         * Note that in the subsequent iteration, next_copy
13                         * gets nulled out by the xdr_reference
14                         * but next itself survives.
15                         */
16                } else if (*rp) {
17                        rp = &((*rp)->rpcb_entry_next);
18                }

There is an access of rp in line2 and no access in line 9 and line 10.
Therefore, we should change condition in line1 to line 8, and change condition
line 8 to line1.

The attachment is the proposed patch.

-- 
You are receiving this mail because:
You are the assignee for the bug.