issue about null pointer dereference

[QiuYitai]

Hello, Our team has recently been conducting research on a null-pointer-dereference (NPD) vulnerability detection tool and used it to scan smatch(the version on the master branch). After a manual review, we have identified some potentially vulnerable code snippets that may lead to null-pointer-dereference bugs. The NULL Dereference vulnerability happens in char *get_variable_from_key, smatch_param_key.c How the NULL Pointer Dereference happens:

1. When sym is NULL
2. When the return of strstr(key, "<~$") is True and arg != expr
3. NULL dereference of variable sym happens at *sym = expr_to_sym(expr);

char *get_variable_from_key(struct expression *arg, const char *key, struct symbol **sym)
{
    struct symbol *type;
    char buf[256];
    char *tmp;
    bool address = false;
    int star_cnt = 0;
    bool add_dot = false;
    int ret;
    if (sym) //sym == NULL
    {
        ......
    }
    ......
    if (strstr(key, "<~$")) {
        struct expression *expr;
        char *new_key = NULL;

        expr = map_container_of_to_simpler_expr_key(arg, key, &new_key);
        if (!expr)
            return NULL;
=>      if (arg != expr) {
            arg = expr;
=>          *sym = expr_to_sym(expr);
        }
        key = new_key;
    }
    ......
}

[error27]

Thanks! Fixed.