netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH iproute2] nstat: Fix NULL Pointer Dereference
@ 2025-03-24  8:26 Ziao Li
  2025-04-04  0:34 ` Stephen Hemminger
  0 siblings, 1 reply; 5+ messages in thread
From: Ziao Li @ 2025-03-24  8:26 UTC (permalink / raw)
  To: netdev

The vulnerability happens in load_ugly_table(), misc/nstat.c, in the
latest version of iproute2.
The vulnerability can be triggered by:
1. db is set to NULL at struct nstat_ent *db = NULL;
2. n is set to NULL at n = db;
3. NULL dereference of variable n happens at sscanf(p+1, "%llu", &n->val) != 1

Subject: [PATCH] Fix Null Dereference when no entries are specified
Signed-off-by: Ziao Li <leeziao0331@gmail.com>
---
 misc/nstat.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/misc/nstat.c b/misc/nstat.c
index fce3e9c1..b2e19bde 100644
--- a/misc/nstat.c
+++ b/misc/nstat.c
@@ -218,6 +218,10 @@ static void load_ugly_table(FILE *fp)
            p = next;
        }
        n = db;
+       if (n == NULL) {
+           fprintf(stderr, "Error: Invalid input – line has ':' but
no entries. Add values after ':'.\n");
+           exit(-2);
+       }
        nread = getline(&buf, &buflen, fp);
        if (nread == -1) {
            fprintf(stderr, "%s:%d: error parsing history file\n",
-- 
2.34.1

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH iproute2] nstat: Fix NULL Pointer Dereference
  2025-03-24  8:26 Ziao Li
@ 2025-04-04  0:34 ` Stephen Hemminger
  0 siblings, 0 replies; 5+ messages in thread
From: Stephen Hemminger @ 2025-04-04  0:34 UTC (permalink / raw)
  To: Ziao Li; +Cc: netdev

On Mon, 24 Mar 2025 16:26:48 +0800
Ziao Li <leeziao0331@gmail.com> wrote:

> The vulnerability happens in load_ugly_table(), misc/nstat.c, in the
> latest version of iproute2.
> The vulnerability can be triggered by:
> 1. db is set to NULL at struct nstat_ent *db = NULL;
> 2. n is set to NULL at n = db;
> 3. NULL dereference of variable n happens at sscanf(p+1, "%llu", &n->val) != 1
> 
> Subject: [PATCH] Fix Null Dereference when no entries are specified
> Signed-off-by: Ziao Li <leeziao0331@gmail.com>
> ---
>  misc/nstat.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/misc/nstat.c b/misc/nstat.c
> index fce3e9c1..b2e19bde 100644
> --- a/misc/nstat.c
> +++ b/misc/nstat.c
> @@ -218,6 +218,10 @@ static void load_ugly_table(FILE *fp)
>             p = next;
>         }
>         n = db;
> +       if (n == NULL) {
> +           fprintf(stderr, "Error: Invalid input – line has ':' but
> no entries. Add values after ':'.\n");
> +           exit(-2);
> +       }
>         nread = getline(&buf, &buflen, fp);
>         if (nread == -1) {
>             fprintf(stderr, "%s:%d: error parsing history file\n",

Your mailer is corrupting patches by adding line breaks:
 $ git am --sign /tmp/nstat.patch
Applying: nstat: Fix NULL Pointer Dereference
error: corrupt patch at line 15
Patch failed at 0001 nstat: Fix NULL Pointer Dereference

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [PATCH iproute2] nstat: Fix NULL Pointer Dereference
@ 2025-04-05  9:42 李子奥
  2025-04-05 15:34 ` Stephen Hemminger
  0 siblings, 1 reply; 5+ messages in thread
From: 李子奥 @ 2025-04-05  9:42 UTC (permalink / raw)
  To: netdev

The vulnerability happens in load_ugly_table(), misc/nstat.c, in the latest version of iproute2.
The vulnerability can be triggered by:
1. db is set to NULL at struct nstat_ent *db = NULL;
2. n is set to NULL at n = db;
3. NULL dereference of variable n happens at sscanf(p+1, "%llu", &n->val) != 1

Subject: [PATCH] Fix Null Dereference when no entries are specified

Signed-off-by: Ziao Li <leeziao0331@gmail.com>
---
misc/nstat.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/misc/nstat.c b/misc/nstat.c
index fce3e9c1..b2e19bde 100644
--- a/misc/nstat.c
+++ b/misc/nstat.c
@@ -218,6 +218,10 @@ static void load_ugly_table(FILE *fp)
           p = next;
       }
       n = db;
+       if (n == NULL) {
+           fprintf(stderr, "Error: Invalid input – line has ':' but no entries. Add values after ':'.\n");
+           exit(-2);
+       }
       nread = getline(&buf, &buflen, fp);
       if (nread == -1) {
           fprintf(stderr, "%s:%d: error parsing history file\n",
--
2.34.1

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH iproute2] nstat: Fix NULL Pointer Dereference
  2025-04-05  9:42 [PATCH iproute2] nstat: Fix NULL Pointer Dereference 李子奥
@ 2025-04-05 15:34 ` Stephen Hemminger
  2025-04-09 11:20   ` ZiAo Li
  0 siblings, 1 reply; 5+ messages in thread
From: Stephen Hemminger @ 2025-04-05 15:34 UTC (permalink / raw)
  To: 李子奥; +Cc: netdev

On Sat, 5 Apr 2025 17:42:20 +0800
"李子奥" <23110240084@m.fudan.edu.cn> wrote:

> The vulnerability happens in load_ugly_table(), misc/nstat.c, in the latest version of iproute2.
> The vulnerability can be triggered by:
> 1. db is set to NULL at struct nstat_ent *db = NULL;
> 2. n is set to NULL at n = db;
> 3. NULL dereference of variable n happens at sscanf(p+1, "%llu", &n->val) != 1
> 
> Subject: [PATCH] Fix Null Dereference when no entries are specified
> 
> Signed-off-by: Ziao Li <leeziao0331@gmail.com>
> ---
> misc/nstat.c | 4 ++++
> 1 file changed, 4 insertions(+)
> 
> diff --git a/misc/nstat.c b/misc/nstat.c
> index fce3e9c1..b2e19bde 100644
> --- a/misc/nstat.c
> +++ b/misc/nstat.c
> @@ -218,6 +218,10 @@ static void load_ugly_table(FILE *fp)
>            p = next;
>        }
>        n = db;
> +       if (n == NULL) {
> +           fprintf(stderr, "Error: Invalid input – line has ':' but no entries. Add values after ':'.\n");
> +           exit(-2);
> +       }
>        nread = getline(&buf, &buflen, fp);
>        if (nread == -1) {
>            fprintf(stderr, "%s:%d: error parsing history file\n",
> --
> 2.34.1

Better, but your mailer is still confusing the patch.
You may have to resort to using an attachment.

Also, iproute2 uses kernel coding style and indentation is done with
tabs not spaces.

If this is all too hard for you to fix, I can just do it manually.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: Re: [PATCH iproute2] nstat: Fix NULL Pointer Dereference
  2025-04-05 15:34 ` Stephen Hemminger
@ 2025-04-09 11:20   ` ZiAo Li
  0 siblings, 0 replies; 5+ messages in thread
From: ZiAo Li @ 2025-04-09 11:20 UTC (permalink / raw)
  To: stephen; +Cc: 23110240084, netdev

Thank you for the review and sorry for the wrong format. I will look into the patching procedure carefully again and resubmit.

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-04-09 11:20 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-05  9:42 [PATCH iproute2] nstat: Fix NULL Pointer Dereference 李子奥
2025-04-05 15:34 ` Stephen Hemminger
2025-04-09 11:20   ` ZiAo Li
  -- strict thread matches above, loose matches on Subject: below --
2025-03-24  8:26 Ziao Li
2025-04-04  0:34 ` Stephen Hemminger

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).