Bug 238043 - Null pointer deference in function xdr_rpcb_entry_list_ptr of sys/rpc/rpcb_prot.c
Summary: Null pointer deference in function xdr_rpcb_entry_list_ptr of sys/rpc/rpcb_pr...
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-bugs mailing list
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2019-05-22 08:16 UTC by Young
Modified: 2019-05-24 15:36 UTC (History)
0 users

See Also:


Attachments
Proposed patch (1017 bytes, application/mbox)
2019-05-22 08:16 UTC, Young
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Young 2019-05-22 08:16:17 UTC
Created attachment 204534 [details]
Proposed patch

There is a null pointer deference vulnerability in function xdr_rpcb_entry_list_ptr of sys/rpc/rpcb_prot.c.

01                if (freeing)
02                        next = (*rp)->rpcb_entry_next;
03                if (! xdr_reference(xdrs, (caddr_t *)rp,
04                    (u_int)sizeof (rpcb_entry_list),
05                                    (xdrproc_t)xdr_rpcb_entry)) {
06                        return (FALSE);
07                }
08                if (freeing && *rp) {
09                        next_copy = next;
10                        rp = &next_copy;
11                        /*
12                         * Note that in the subsequent iteration, next_copy
13                         * gets nulled out by the xdr_reference
14                         * but next itself survives.
15                         */
16                } else if (*rp) {
17                        rp = &((*rp)->rpcb_entry_next);
18                }


There is an access of rp in line2 and no access in line 9 and line 10.
Therefore, we should change condition in line1 to line 8, and change condition line 8 to line1.

The attachment is the proposed patch.