lib: fix 2 Null Pointer Dereference bugs #18110
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Function `mgmt_be_send_ds_delete_notification` passes a null value as the third argument to function __send_notification.
return __send_notification(__be_client, path, patch, NOTIFY_OP_DS_PATCH);
in function __send_notification, when both the 2nd parameter xpath and 3rd parameter tree are null, a null pointer dereference bug occurs.
assert(op != NOTIFY_OP_NOTIFICATION || xpath || tree);
debug_be_client("%s: sending %sYANG %snotification: %s", __func__,
op == NOTIFY_OP_DS_DELETE ? "delete "
: op == NOTIFY_OP_DS_REPLACE ? "replace "
: op == NOTIFY_OP_DS_PATCH ? "patch "
: "",
op == NOTIFY_OP_NOTIFICATION ? "" : "DS ", xpath ?: tree->schema->name);
Fix:
Add a check that return directly when both xpath and tree are null.
Signed-off-by: mugitya03 <[email protected]>
Function vrf_get can return a NULL value.
if (vrf && vrf_id != VRF_UNKNOWN
&& vrf->vrf_id != VRF_UNKNOWN
&& vrf->vrf_id != vrf_id) {
zlog_debug("VRF_GET: avoid %s creation(%u), same name exists (%u)",
name, vrf_id, vrf->vrf_id);
return NULL;
}
In function lib_vrf_create, the return value from vrf_get is dereferenced without any null value check, causing a null pointer dereference bug.
Fix:
We noticed that other caller functions both check the return value of function vrf_get, thus similarly, we check the return value and return NB_ERR if null.
Signed-off-by: mugitya03 <[email protected]>
eqvinox
requested changes
Feb 12, 2025
| @@ -944,7 +944,9 @@ static int lib_vrf_create(struct nb_cb_create_args *args) | |||
| return NB_OK; | |||
|
|
|||
| vrfp = vrf_get(VRF_UNKNOWN, vrfname); | |||
|
|
|||
| if (!vrfp){ | |||
There was a problem hiding this comment.
vrfname is guaranteed to be non-NULL due to YANG schema validation.
vrf_get cannot return NULL for VRF_UNKNOWN + vrfname != NULL.
This check is therefore superfluous.
| @@ -323,6 +323,9 @@ static int __send_notification(struct mgmt_be_client *client, const char *xpath, | |||
| int ret = 0; | |||
|
|
|||
| assert(op != NOTIFY_OP_NOTIFICATION || xpath || tree); | |||
| if (!xpath && !tree){ | |||
There was a problem hiding this comment.
This is not correct. Due to the mgmt_msg_native_xpath_encode call below, xpath actually must be non-NULL. The assert seems to be in error.
|
Are you using AI/LLM to generate these pull requests? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Modified Fix for #18072
We found and fixed 2 NPD bugs in
libdirectory. This PR has removed the superfluous commits of previous PR #18072 .Thanks for your patience.