libnfs icon indicating copy to clipboard operation
libnfs copied to clipboard
verified publisher icon sahlberg

Fix the null reference vulnerability.

Open QiuYitai opened this issue 8 months ago • 0 comments

Hello, Our team has recently been conducting research on a null-pointer-dereference (NPD) vulnerability detection tool and used it to scan libnfs(the version on the master branch). After a manual review, we have identified some potentially vulnerable code snippets that may lead to null-pointer-dereference bugs. The NULL Dereference vulnerability happens in static void nfs4_open_confirm_cb(), nfs_v4.c How the NULL Pointer Dereference happens:

  1. When res == NULL.
  2. NULL dereference of variable res happens at ocresok = &res->resarray.resarray_val[i].nfs_resop4_u.opopen_confirm.OPEN_CONFIRM4res_u.resok4;
static void
nfs4_open_confirm_cb(struct rpc_context *rpc, int status, void *command_data,
                    void *private_data)
{
    ......
    COMPOUND4res *res = command_data;
    ......
=>  if (res){//false
        nfs_increment_seqid(fh, res->status);
    }
    if (check_nfs4_error(nfs, status, data, res, "OPEN_CONFIRM")) {......}
    if ((i = nfs4_find_op(nfs, data, res, OP_OPEN_CONFIRM,"OPEN_CONFIRM")) < 0) {return;}
=>  ocresok = &res->resarray.resarray_val[i].nfs_resop4_u.opopen_confirm.OPEN_CONFIRM4res_u.resok4;
    ......
    }        
 }

QiuYitai avatar Apr 18 '25 06:04 QiuYitai