ccan
ccan copied to clipboard
rustyrussell
NULL Pointer Dereference vulnerability in `int iscsi_process_text_reply()`
The NULL Dereference vulnerability happens in int iscsi_process_text_reply(), ccan/iscsi/discovery.c
How the NULL Pointer Dereference happens:
*targetsis set to NULL atstruct iscsi_discovery_address *targets = NULL;- When the following conditions are met:
size > 0,len != 0, andlen <= size. - Dereference of NULL variable
targets->target_addressintargets->target_address = strdup((char *)hdr+14);
int iscsi_process_text_reply(struct iscsi_context *iscsi, struct iscsi_pdu *pdu, const unsigned char *hdr, int size)
{
=> struct iscsi_discovery_address *targets = NULL;
...
while (size > 0) {
int len;
len = strlen((char *)hdr);
if (len == 0) {
break;
}
if (len > size) {
......
}
if (!strncmp((char *)hdr, "TargetName=", 11)) {
......
} else if (!strncmp((char *)hdr, "TargetAddress=", 14)) {
=> targets->target_address = strdup((char *)hdr+14);
......
}
......
}
The NULL Dereference vulnerability happens in static void node_insert(), ccan/btree/btree.c
How the NULL Pointer Dereference happens:
*xris set to NULL atbtree_insert_at(),struct btree_node *xr = NULL;- Then,
*xris passed as a parameter to thenode_insert()function. - Dereference of NULL variable
xr->parentinxr->parent = p;
void btree_insert_at(btree_iterator iter, const void *item)
{
const void *x = item;
=> struct btree_node *xr = NULL;
...
if (iter->node->count < MAX) {
=> node_insert(x, xr, iter->node, iter->k);
...
}
......
}
static void node_insert(const void *x, struct btree_node *xr,struct btree_node *p, unsigned int k)
{
unsigned int i;
for (i = p->count; i-- > k;)
p->item[i+1] = p->item[i];
p->item[k] = x;
if (p->depth) {
k++;
for (i = p->count+1; i-- > k;) {
p->branch[i+1] = p->branch[i];
p->branch[i+1]->k = i+1;
}
p->branch[k] = xr;
=> xr->parent = p;
......
}
......
}
