Potential for NULL pointer de-references (CWE-476) in file 'rbt-tests.c' in BIND-9.12.1-P2
Summary
In reviewing source code in BIND-9.12.1-P2, in directory 'lib/dns/tests', file 'rbt_tests.c', calls to isc_mem_get() are not checked for a return value of NULL, indicating failure which could lead to a de-reference and segmentation fault.
Steps to reproduce
N/A
What is the current bug behavior?
Calls to isc_mem_get() are not checked for a return value of NULL
What is the expected correct behavior?
Check all calls to isc_mem_get() for a return value of NULL
Relevant configuration files
N/A
Relevant logs and/or screenshots
N/A
Possible fixes
Fixes are below and attached as a patch file to this issue report:
--- rbt_test.c.orig 2018-07-13 03:52:52.202531585 -0700 +++ rbt_test.c 2018-07-13 03:55:53.938567060 -0700 @@ -182,11 +182,13 @@ name = dns_fixedname_name(&fname);
n = isc_mem_get(mctx, sizeof(size_t));
-
ATF_REQUIRE(n != NULL); *n = i + 1; result = dns_rbt_addname(ctx->rbt, name, n); ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); n = isc_mem_get(mctx, sizeof(size_t));
-
ATF_REQUIRE(n != NULL); *n = node_distances[i]; result = dns_rbt_addname(ctx->rbt_distances, name, n); ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
@@ -379,6 +381,7 @@ char namebuf[34];
n = isc_mem_get(mctx, sizeof(size_t));
-
AFT_REQUIRE(n != NULL); *n = i + 1; while (1) {
@@ -465,6 +468,7 @@ dns_name_t *name;
n = isc_mem_get(mctx, sizeof(size_t));
-
AFT_REQUIRE(n != NULL); *n = i + 1; snprintf(namebuf, sizeof(namebuf), "name%08x.", i);
@@ -751,6 +755,7 @@ ATF_REQUIRE_EQ(node->data, NULL);
n = isc_mem_get(mctx, sizeof(size_t));
-
ATF_REQUIRE(n != NULL); *n = i; node->data = n;[rbt_test.c.patch](/uploads/c938d79d54cf63220630c33756f6f05f/rbt_test.c.patch)