public inbox for ecos-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug 1001588] New: NULL pointer access in lwIP SNMP agent
@ 2012-05-16 9:17 bugzilla-daemon
2012-05-16 15:01 ` [Bug 1001588] " bugzilla-daemon
0 siblings, 1 reply; 3+ messages in thread
From: bugzilla-daemon @ 2012-05-16 9:17 UTC (permalink / raw)
To: ecos-bugs
Please do not reply to this email. Use the web interface provided at:
http://bugs.ecos.sourceware.org/show_bug.cgi?id=1001588
Summary: NULL pointer access in lwIP SNMP agent
Product: eCos
Version: CVS
Platform: All
OS/Version: All
Status: UNCONFIRMED
Severity: major
Priority: low
Component: lwIP
AssignedTo: unassigned@bugs.ecos.sourceware.org
ReportedBy: michael.odowd@kuantic.com
CC: ecos-bugs@ecos.sourceware.org
Class: Advice Request
Created an attachment (id=1758)
--> (http://bugs.ecos.sourceware.org/attachment.cgi?id=1758)
Patch File
Bus Fault occurs due to NULL pointer access in lwIP SNMP agent code.
Platform: Cortex-M, but should affect all platforms.
File: packages/net/lwip_tcpip/current/src/core/snmp/msg_in.c:
Function: snmp_varbind_tail_remove()
Description: The function snmp_varbind_tail_remove() is used to remove an
element from a linked list. When removing the last element in the linked list,
a NULL pointer access occurs. On a Cortex-M, this causes a Bus Fault.
Problem identified and patch provided.
Current code:
struct snmp_varbind*
snmp_varbind_tail_remove(struct snmp_varbind_root *root)
{
struct snmp_varbind* vb;
if (root->count > 0)
{
/* remove tail varbind */
vb = root->tail;
root->tail = vb->prev;
vb->prev->next = NULL; <--- BUG !!!
root->count -= 1;
}
else
{
/* nothing to remove */
vb = NULL;
}
return vb;
}
When removing the last element in the list, vb->prev is already NULL. So the
line vb->prev->next is equivalent to NULL->next.
Solution: Test the value of vb->prev before accessing it.
Corrected code: (patch file attached)
struct snmp_varbind*
snmp_varbind_tail_remove(struct snmp_varbind_root *root)
{
struct snmp_varbind* vb;
if (root->count > 0)
{
/* remove tail varbind */
vb = root->tail;
root->tail = vb->prev;
if (vb->prev) <---- Add this line.
vb->prev->next = NULL;
root->count -= 1;
}
else
{
/* nothing to remove */
vb = NULL;
}
return vb;
}
--
Configure bugmail: http://bugs.ecos.sourceware.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug 1001588] NULL pointer access in lwIP SNMP agent
2012-05-16 9:17 [Bug 1001588] New: NULL pointer access in lwIP SNMP agent bugzilla-daemon
@ 2012-05-16 15:01 ` bugzilla-daemon
0 siblings, 0 replies; 3+ messages in thread
From: bugzilla-daemon @ 2012-05-16 15:01 UTC (permalink / raw)
To: ecos-bugs
Please do not reply to this email. Use the web interface provided at:
http://bugs.ecos.sourceware.org/show_bug.cgi?id=1001588
Jonathan Larmour <jifl@ecoscentric.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jifl@ecoscentric.com
--- Comment #1 from Jonathan Larmour <jifl@ecoscentric.com> 2012-05-16 16:00:32 BST ---
Thanks Michael. Have you already submitted this upstream to lwIP? I can't see
it at http://savannah.nongnu.org/bugs/?group=lwip
It's probably most important of all to get it submitted there, otherwise we
risk accidentally losing this fix if our lwIP port is updated to a newer lwIP.
If they're happy the bug and patch are valid, we can certainly commit it here
too.
--
Configure bugmail: http://bugs.ecos.sourceware.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug 1001588] New: NULL pointer access in lwIP SNMP agent
@ 2012-05-16 9:17 bugzilla-daemon
0 siblings, 0 replies; 3+ messages in thread
From: bugzilla-daemon @ 2012-05-16 9:17 UTC (permalink / raw)
To: unassigned
Please do not reply to this email. Use the web interface provided at:
http://bugs.ecos.sourceware.org/show_bug.cgi?id=1001588
Summary: NULL pointer access in lwIP SNMP agent
Product: eCos
Version: CVS
Platform: All
OS/Version: All
Status: UNCONFIRMED
Severity: major
Priority: low
Component: lwIP
AssignedTo: unassigned@bugs.ecos.sourceware.org
ReportedBy: michael.odowd@kuantic.com
CC: ecos-bugs@ecos.sourceware.org
Class: Advice Request
Created an attachment (id=1758)
--> (http://bugs.ecos.sourceware.org/attachment.cgi?id=1758)
Patch File
Bus Fault occurs due to NULL pointer access in lwIP SNMP agent code.
Platform: Cortex-M, but should affect all platforms.
File: packages/net/lwip_tcpip/current/src/core/snmp/msg_in.c:
Function: snmp_varbind_tail_remove()
Description: The function snmp_varbind_tail_remove() is used to remove an
element from a linked list. When removing the last element in the linked list,
a NULL pointer access occurs. On a Cortex-M, this causes a Bus Fault.
Problem identified and patch provided.
Current code:
struct snmp_varbind*
snmp_varbind_tail_remove(struct snmp_varbind_root *root)
{
struct snmp_varbind* vb;
if (root->count > 0)
{
/* remove tail varbind */
vb = root->tail;
root->tail = vb->prev;
vb->prev->next = NULL; <--- BUG !!!
root->count -= 1;
}
else
{
/* nothing to remove */
vb = NULL;
}
return vb;
}
When removing the last element in the list, vb->prev is already NULL. So the
line vb->prev->next is equivalent to NULL->next.
Solution: Test the value of vb->prev before accessing it.
Corrected code: (patch file attached)
struct snmp_varbind*
snmp_varbind_tail_remove(struct snmp_varbind_root *root)
{
struct snmp_varbind* vb;
if (root->count > 0)
{
/* remove tail varbind */
vb = root->tail;
root->tail = vb->prev;
if (vb->prev) <---- Add this line.
vb->prev->next = NULL;
root->count -= 1;
}
else
{
/* nothing to remove */
vb = NULL;
}
return vb;
}
--
Configure bugmail: http://bugs.ecos.sourceware.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-05-16 15:01 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-05-16 9:17 [Bug 1001588] New: NULL pointer access in lwIP SNMP agent bugzilla-daemon
2012-05-16 15:01 ` [Bug 1001588] " bugzilla-daemon
2012-05-16 9:17 [Bug 1001588] New: " bugzilla-daemon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).