Bug 238043
| Summary: | Null pointer deference in function xdr_rpcb_entry_list_ptr of sys/rpc/rpcb_prot.c | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | Young <yangx92> | ||||
| Component: | kern | Assignee: | freebsd-bugs (Nobody) <bugs> | ||||
| Status: | New --- | ||||||
| Severity: | Affects Many People | Keywords: | patch | ||||
| Priority: | --- | ||||||
| Version: | CURRENT | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
Comment on attachment 204534 [details]
Proposed patch
^Triage: convert this to text/plain and set the Patch flag so that the automation can see it.
|
Created attachment 204534 [details] Proposed patch There is a null pointer deference vulnerability in function xdr_rpcb_entry_list_ptr of sys/rpc/rpcb_prot.c. 01 if (freeing) 02 next = (*rp)->rpcb_entry_next; 03 if (! xdr_reference(xdrs, (caddr_t *)rp, 04 (u_int)sizeof (rpcb_entry_list), 05 (xdrproc_t)xdr_rpcb_entry)) { 06 return (FALSE); 07 } 08 if (freeing && *rp) { 09 next_copy = next; 10 rp = &next_copy; 11 /* 12 * Note that in the subsequent iteration, next_copy 13 * gets nulled out by the xdr_reference 14 * but next itself survives. 15 */ 16 } else if (*rp) { 17 rp = &((*rp)->rpcb_entry_next); 18 } There is an access of rp in line2 and no access in line 9 and line 10. Therefore, we should change condition in line1 to line 8, and change condition line 8 to line1. The attachment is the proposed patch.