A potential null reference in dhcp project
The following was received on Thursday 14th July 2022 by Security Officer from Victor Tom vv474172261@gmail.com
Hi,
in function parse_executable_statements:
int parse_executable_statements (statements, cfile, lose, case_context)...
{
next = statements;
while (parse_executable_statement (next, cfile, lose, case_context))
next = &((*next) -> next);
...
}
it assumes parse_executable_statement
will return 1 with setting statements.
However, in function parse_executable_statement:
switch(token){
case EVAL:
skip_token(&val, (unsigned *)0, cfile);
if (!executable_statement_allocate (result, MDL))
log_fatal ("no memory for eval statement.");
(*result) -> op = eval_statement;
if (!parse_expression (&(*result) -> data.eval,
cfile, lose, context_data, /* XXX */
(struct expression **)0, expr_none)) {
if (!*lose)
parse_warn (cfile,
"expecting data expression.");
else
*lose = 1;
skip_to_semi (cfile);
executable_statement_dereference (result, MDL);
return 0;
}
if (!parse_semi (cfile)) { <<<<<<<<<L0
*lose = 1;
executable_statement_dereference (result, MDL); <<<<<<<<<<L1
}
break;
}
return 1;
if case is EVAL, and parse_semi(cfile) returns 0 at Lable L0, it will derefer result and free result and set it to 0. This is unexcepted by parse_executable_statements. Thus, it may refer to a NULL pointer.
I don't have a poc, but this situation is expected if we can control cfile's content.
Regards, VictorV of Cyber Kunlun Lab