busybox
NULL pointer gets dereferenced if !FEATURE_MODPROBE_MULTIPLE_OPTIONS
If the pointer dt is null when !FEATURE_MODPROBE_MULTIPLE_OPTIONS is not set, it would dereference the null.
Bug fixed by commit 199501f2a00
| Type | NullDereference |
| Config | !FEATURE_MODPROBE_MULTIPLE_OPTIONS (1st degree) |
| C-features | Structs |
| Fix-in | code |
| Location | modutils/ |
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void build_dep(void)
{
char * dt = NULL;
if(rand() % 2) {
dt = "-i";
}
#ifdef ENABLE_FEATURE_MODPROBE_MULTIPLE_OPTIONS
if(dt) {
// Do something
}
#else
char buf[50];
strcpy(buf, "module option(s): ");
strcat(buf, dt); // ERROR
#endif
}
int main(int argc, char **argv)
{
build_dep();
return 0;
}
diff --git a/simple/199501f.c b/simple/199501f.c
--- a/simple/199501f.c
+++ b/simple/199501f.c
@@ -11,16 +11,16 @@
dt = "-i";
}
+ if(dt) {
#ifdef ENABLE_FEATURE_MODPROBE_MULTIPLE_OPTIONS
- if(dt) {
// Do something
- }
#else
char buf[50];
strcpy(buf, "module option(s): ");
strcat(buf, dt); // ERROR
#endif
+ }
}
int main(int argc, char **argv)
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char **argv)
{
// build_dep();
char * dt = NULL;
if(rand() % 2) {
dt = "-i";
}
#ifdef ENABLE_FEATURE_MODPROBE_MULTIPLE_OPTIONS
if(dt) {
// Do something
}
#else
char buf[50];
strcpy(buf, "module option(s): ");
strcat(buf, dt); // ERROR
#endif
return 0;
}
. call /modutils/modprobe.c:852:depend = build_dep(); .. 493:struct dep_t *dt; .. ERROR [!MULTIPLE_OPTIONS] 506:append_option(dt->m_options,opt);