From patchwork Thu Mar 31 14:10:48 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dmitry Chestnyh <d.chestnyh@omp.ru>
X-Patchwork-Id: 52528
Return-Path: <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id E39553857C50
	for <patchwork@sourceware.org>; Thu, 31 Mar 2022 14:11:28 +0000 (GMT)
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from mxout01.lancloud.ru (mxout01.lancloud.ru [45.84.86.81])
 by sourceware.org (Postfix) with ESMTPS id 0BED93857830
 for <libc-alpha@sourceware.org>; Thu, 31 Mar 2022 14:11:16 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 0BED93857830
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=omp.ru
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=omp.ru
Received: from LanCloud
DKIM-Filter: OpenDKIM Filter v2.11.0 mxout01.lancloud.ru C3BE920B0350
Received: from LanCloud
Received: from LanCloud
Received: from LanCloud
From: Dmitry Chestnyh <d.chestnyh@omp.ru>
To: <libc-alpha@sourceware.org>
Subject: [PATCH] [sunrpc] Fix possible null-pointer dereference.
Date: Thu, 31 Mar 2022 17:10:48 +0300
Message-ID: <20220331141047.357849-1-d.chestnyh@omp.ru>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
X-Originating-IP: [192.168.11.198]
X-ClientProxiedBy: LFEXT01.lancloud.ru (fd00:f066::141) To
 LFEX1912.lancloud.ru (fd00:f066::166)
X-Spam-Status: No, score=-13.9 required=5.0 tests=BAYES_00, GIT_PATCH_0,
 KAM_DMARC_STATUS, SPF_HELO_NONE, SPF_PASS, T_SCC_BODY_TEXT_LINE,
 UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Cc: Dmitry Chestnyh <d.chestnyh@omp.ru>
Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org
Sender: "Libc-alpha"
 <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org>

This issue was found by SVACE static analyzer.
In clntunix_call function there are no
obvious checks of xdr_results ptr value.
And seems that we can't be sure that this pointer
isn't NULL.
---
 sunrpc/clnt_unix.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sunrpc/clnt_unix.c b/sunrpc/clnt_unix.c
index 33a02cc8af..ef8ef5fb4d 100644
--- a/sunrpc/clnt_unix.c
+++ b/sunrpc/clnt_unix.c
@@ -44,6 +44,7 @@
  * Now go hang yourself.
  */
 
+#include <assert.h>
 #include <netdb.h>
 #include <errno.h>
 #include <stdio.h>
@@ -278,6 +279,7 @@ call_again:
   _seterr_reply (&reply_msg, &(ct->ct_error));
   if (ct->ct_error.re_status == RPC_SUCCESS)
     {
+      assert(xdr_results != NULL);
       if (!AUTH_VALIDATE (h->cl_auth, &reply_msg.acpted_rply.ar_verf))
 	{
 	  ct->ct_error.re_status = RPC_AUTHERROR;