This is the mail archive of the
ecos-bugs@sourceware.org
mailing list for the eCos project.
[Bug 1001588] New: NULL pointer access in lwIP SNMP agent
- From: bugzilla-daemon at bugs dot ecos dot sourceware dot org
- To: unassigned at bugs dot ecos dot sourceware dot org
- Date: Wed, 16 May 2012 10:16:56 +0100
- Subject: [Bug 1001588] New: NULL pointer access in lwIP SNMP agent
- Auto-submitted: auto-generated
Please do not reply to this email. Use the web interface provided at:
http://bugs.ecos.sourceware.org/show_bug.cgi?id=1001588
Summary: NULL pointer access in lwIP SNMP agent
Product: eCos
Version: CVS
Platform: All
OS/Version: All
Status: UNCONFIRMED
Severity: major
Priority: low
Component: lwIP
AssignedTo: unassigned@bugs.ecos.sourceware.org
ReportedBy: michael.odowd@kuantic.com
CC: ecos-bugs@ecos.sourceware.org
Class: Advice Request
Created an attachment (id=1758)
--> (http://bugs.ecos.sourceware.org/attachment.cgi?id=1758)
Patch File
Bus Fault occurs due to NULL pointer access in lwIP SNMP agent code.
Platform: Cortex-M, but should affect all platforms.
File: packages/net/lwip_tcpip/current/src/core/snmp/msg_in.c:
Function: snmp_varbind_tail_remove()
Description: The function snmp_varbind_tail_remove() is used to remove an
element from a linked list. When removing the last element in the linked list,
a NULL pointer access occurs. On a Cortex-M, this causes a Bus Fault.
Problem identified and patch provided.
Current code:
struct snmp_varbind*
snmp_varbind_tail_remove(struct snmp_varbind_root *root)
{
struct snmp_varbind* vb;
if (root->count > 0)
{
/* remove tail varbind */
vb = root->tail;
root->tail = vb->prev;
vb->prev->next = NULL; <--- BUG !!!
root->count -= 1;
}
else
{
/* nothing to remove */
vb = NULL;
}
return vb;
}
When removing the last element in the list, vb->prev is already NULL. So the
line vb->prev->next is equivalent to NULL->next.
Solution: Test the value of vb->prev before accessing it.
Corrected code: (patch file attached)
struct snmp_varbind*
snmp_varbind_tail_remove(struct snmp_varbind_root *root)
{
struct snmp_varbind* vb;
if (root->count > 0)
{
/* remove tail varbind */
vb = root->tail;
root->tail = vb->prev;
if (vb->prev) <---- Add this line.
vb->prev->next = NULL;
root->count -= 1;
}
else
{
/* nothing to remove */
vb = NULL;
}
return vb;
}
--
Configure bugmail: http://bugs.ecos.sourceware.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.