Created attachment 204534 [details] Proposed patch There is a null pointer deference vulnerability in function xdr_rpcb_entry_list_ptr of sys/rpc/rpcb_prot.c. 01 if (freeing) 02 next = (*rp)->rpcb_entry_next; 03 if (! xdr_reference(xdrs, (caddr_t *)rp, 04 (u_int)sizeof (rpcb_entry_list), 05 (xdrproc_t)xdr_rpcb_entry)) { 06 return (FALSE); 07 } 08 if (freeing && *rp) { 09 next_copy = next; 10 rp = &next_copy; 11 /* 12 * Note that in the subsequent iteration, next_copy 13 * gets nulled out by the xdr_reference 14 * but next itself survives. 15 */ 16 } else if (*rp) { 17 rp = &((*rp)->rpcb_entry_next); 18 } There is an access of rp in line2 and no access in line 9 and line 10. Therefore, we should change condition in line1 to line 8, and change condition line 8 to line1. The attachment is the proposed patch.
Comment on attachment 204534 [details] Proposed patch ^Triage: convert this to text/plain and set the Patch flag so that the automation can see it.