This is the mail archive of the ecos-bugs@sourceware.org mailing list for the eCos project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug 1001588] New: NULL pointer access in lwIP SNMP agent

From: bugzilla-daemon at bugs dot ecos dot sourceware dot org
To: ecos-bugs at ecos dot sourceware dot org
Date: Wed, 16 May 2012 10:16:56 +0100
Subject: [Bug 1001588] New: NULL pointer access in lwIP SNMP agent
Auto-submitted: auto-generated

Please do not reply to this email. Use the web interface provided at:
http://bugs.ecos.sourceware.org/show_bug.cgi?id=1001588

           Summary: NULL pointer access in lwIP SNMP agent
           Product: eCos
           Version: CVS
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: major
          Priority: low
         Component: lwIP
        AssignedTo: unassigned@bugs.ecos.sourceware.org
        ReportedBy: michael.odowd@kuantic.com
                CC: ecos-bugs@ecos.sourceware.org
             Class: Advice Request


Created an attachment (id=1758)
 --> (http://bugs.ecos.sourceware.org/attachment.cgi?id=1758)
Patch File

Bus Fault occurs due to NULL pointer access in lwIP SNMP agent code.

Platform: Cortex-M, but should affect all platforms.
File: packages/net/lwip_tcpip/current/src/core/snmp/msg_in.c:
Function: snmp_varbind_tail_remove()

Description: The function snmp_varbind_tail_remove() is used to remove an
element from a linked list. When removing the last element in the linked list,
a NULL pointer access occurs. On a Cortex-M, this causes a Bus Fault.

Problem identified and patch provided.

Current code:

  struct snmp_varbind*
  snmp_varbind_tail_remove(struct snmp_varbind_root *root)
  {
    struct snmp_varbind* vb;

    if (root->count > 0)
    {
      /* remove tail varbind */
      vb = root->tail;
      root->tail = vb->prev;
      vb->prev->next = NULL;       <--- BUG !!!
      root->count -= 1;
    }
    else
    {
      /* nothing to remove */
      vb = NULL;
    }
    return vb;
  }

When removing the last element in the list, vb->prev is already NULL. So the
line vb->prev->next is equivalent to NULL->next.

Solution: Test the value of vb->prev before accessing it.

Corrected code: (patch file attached)

struct snmp_varbind*
snmp_varbind_tail_remove(struct snmp_varbind_root *root)
{
  struct snmp_varbind* vb;

  if (root->count > 0)
  {
    /* remove tail varbind */
    vb = root->tail;
    root->tail = vb->prev;
    if (vb->prev)               <---- Add this line.
      vb->prev->next = NULL;
    root->count -= 1;
  }
  else
  {
    /* nothing to remove */
    vb = NULL;
  }
  return vb;
}

-- 
Configure bugmail: http://bugs.ecos.sourceware.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Follow-Ups:
- [Bug 1001588] NULL pointer access in lwIP SNMP agent
  - From: bugzilla-daemon

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]