From 51ff6c3675d4e62b23383ae62feffc5bd260d570 Mon Sep 17 00:00:00 2001 From: Mingjie Shen Date: Thu, 22 Jun 2023 14:59:22 -0400 Subject: [PATCH] all/gnrc: fix null pointer dereference Check return values of following functions for null: - gnrc_netif_iter - gnrc_netif_hdr_build - gnrc_pktsnip_search_type - gnrc_netif_get_by_pid - gnrc_netif_hdr_get_netif - _nib_drl_get --- examples/gnrc_networking_mac/mac.c | 8 +++++--- examples/gnrc_networking_mac/udp.c | 6 +++++- .../network_layer/icmpv6/error/gnrc_icmpv6_error.c | 1 + sys/net/gnrc/network_layer/ipv6/nib/_nib-arsm.c | 2 +- sys/net/gnrc/network_layer/ipv6/nib/nib.c | 4 ++++ .../sixlowpan/iphc/gnrc_sixlowpan_iphc.c | 5 +++++ sys/net/gnrc/transport_layer/tcp/gnrc_tcp_pkt.c | 13 +++++++++++++ sys/shell/cmds/gnrc_icmpv6_echo.c | 4 ++++ sys/shell/cmds/gnrc_udp.c | 6 +++++- 9 files changed, 43 insertions(+), 6 deletions(-) diff --git a/examples/gnrc_networking_mac/mac.c b/examples/gnrc_networking_mac/mac.c index d5ac8bd0ab..2eaa251a4d 100644 --- a/examples/gnrc_networking_mac/mac.c +++ b/examples/gnrc_networking_mac/mac.c @@ -36,9 +36,11 @@ int mac_cmd(int argc, char **argv) gnrc_netif_t *netif = NULL; netif = gnrc_netif_iter(netif); - msg_t msg; - msg.type = GNRC_MAC_TYPE_GET_DUTYCYCLE; - msg_send(&msg, netif->pid); + if (netif) { + msg_t msg; + msg.type = GNRC_MAC_TYPE_GET_DUTYCYCLE; + msg_send(&msg, netif->pid); + } #else puts("MAC: radio duty-cycle unavailable."); #endif diff --git a/examples/gnrc_networking_mac/udp.c b/examples/gnrc_networking_mac/udp.c index 789af2e3b1..afd2b6be6e 100644 --- a/examples/gnrc_networking_mac/udp.c +++ b/examples/gnrc_networking_mac/udp.c @@ -91,7 +91,11 @@ static void send(char *addr_str, char *port_str, char *data, unsigned int num, /* add netif header, if interface was given */ if (netif != NULL) { gnrc_pktsnip_t *netif_hdr = gnrc_netif_hdr_build(NULL, 0, NULL, 0); - + if (netif_hdr == NULL) { + puts("Error: unable to allocate netif header"); + gnrc_pktbuf_release(ip); + return; + } gnrc_netif_hdr_set_netif(netif_hdr->data, netif); ip = gnrc_pkt_prepend(ip, netif_hdr); } diff --git a/sys/net/gnrc/network_layer/icmpv6/error/gnrc_icmpv6_error.c b/sys/net/gnrc/network_layer/icmpv6/error/gnrc_icmpv6_error.c index fbdc3b8973..fddb565ff5 100644 --- a/sys/net/gnrc/network_layer/icmpv6/error/gnrc_icmpv6_error.c +++ b/sys/net/gnrc/network_layer/icmpv6/error/gnrc_icmpv6_error.c @@ -51,6 +51,7 @@ static size_t _fit(const gnrc_pktsnip_t *orig_pkt) if (netif_hdr) { gnrc_netif_t *netif = gnrc_netif_hdr_get_netif(netif_hdr->data); + assert(netif != NULL); pkt_len -= netif_hdr->size; DEBUG("gnrc_icmpv6_error: fitting to MTU of iface %u (%u)\n", diff --git a/sys/net/gnrc/network_layer/ipv6/nib/_nib-arsm.c b/sys/net/gnrc/network_layer/ipv6/nib/_nib-arsm.c index 050db1bc4c..0709f6b714 100644 --- a/sys/net/gnrc/network_layer/ipv6/nib/_nib-arsm.c +++ b/sys/net/gnrc/network_layer/ipv6/nib/_nib-arsm.c @@ -44,7 +44,7 @@ void _snd_ns(const ipv6_addr_t *tgt, gnrc_netif_t *netif, _nib_dr_entry_t *dr = _nib_drl_get(NULL, netif->pid); /* add ARO based on interface */ - if ((src != NULL) && gnrc_netif_is_6ln(netif) && + if ((src != NULL) && gnrc_netif_is_6ln(netif) && (dr != NULL) && (_nib_onl_get_if(dr->next_hop) == (unsigned)netif->pid) && ipv6_addr_equal(&dr->next_hop->ipv6, dst)) { eui64_t eui64; diff --git a/sys/net/gnrc/network_layer/ipv6/nib/nib.c b/sys/net/gnrc/network_layer/ipv6/nib/nib.c index efa960ab96..c9259051d7 100644 --- a/sys/net/gnrc/network_layer/ipv6/nib/nib.c +++ b/sys/net/gnrc/network_layer/ipv6/nib/nib.c @@ -1424,6 +1424,10 @@ static void _handle_snd_na(gnrc_pktsnip_t *pkt) static void _handle_pfx_timeout(_nib_offl_entry_t *pfx) { gnrc_netif_t *netif = gnrc_netif_get_by_pid(_nib_onl_get_if(pfx->next_hop)); + if (netif == NULL) { + return; + } + uint32_t now = evtimer_now_msec(); gnrc_netif_acquire(netif); diff --git a/sys/net/gnrc/network_layer/sixlowpan/iphc/gnrc_sixlowpan_iphc.c b/sys/net/gnrc/network_layer/sixlowpan/iphc/gnrc_sixlowpan_iphc.c index 2dac17b3bd..329815da4b 100644 --- a/sys/net/gnrc/network_layer/sixlowpan/iphc/gnrc_sixlowpan_iphc.c +++ b/sys/net/gnrc/network_layer/sixlowpan/iphc/gnrc_sixlowpan_iphc.c @@ -548,6 +548,11 @@ static size_t _iphc_nhc_ipv6_decode(gnrc_pktsnip_t *sixlo, size_t offset, uint16_t payload_len; size_t tmp; + if (netif == NULL) { + DEBUG("6lo iphc: unable to find NETIF snip\n"); + return 0; + } + offset++; /* move over NHC header */ /* realloc size for uncompressed snip, if too small */ if (ipv6->size < (*uncomp_hdr_len + sizeof(ipv6_hdr_t))) { diff --git a/sys/net/gnrc/transport_layer/tcp/gnrc_tcp_pkt.c b/sys/net/gnrc/transport_layer/tcp/gnrc_tcp_pkt.c index 70695d3e5c..5ffdfdff82 100644 --- a/sys/net/gnrc/transport_layer/tcp/gnrc_tcp_pkt.c +++ b/sys/net/gnrc/transport_layer/tcp/gnrc_tcp_pkt.c @@ -349,6 +349,7 @@ uint32_t _gnrc_tcp_pkt_get_seg_len(gnrc_pktsnip_t *pkt) uint32_t seq = 0; uint16_t ctl = 0; gnrc_pktsnip_t *snp = gnrc_pktsnip_search_type(pkt, GNRC_NETTYPE_TCP); + assert(snp != NULL); tcp_hdr_t *hdr = (tcp_hdr_t *) snp->data; ctl = byteorder_ntohs(hdr->off_ctl); seq = _gnrc_tcp_pkt_get_pay_len(pkt); @@ -399,6 +400,12 @@ int _gnrc_tcp_pkt_setup_retransmit(gnrc_tcp_tcb_t *tcb, gnrc_pktsnip_t *pkt, /* Extract control bits and segment length */ snp = gnrc_pktsnip_search_type(pkt, GNRC_NETTYPE_TCP); + if (snp == NULL) { + TCP_DEBUG_ERROR("-EINVAL: snp == NULL."); + TCP_DEBUG_LEAVE; + return -EINVAL; + } + ctl = byteorder_ntohs(((tcp_hdr_t *) snp->data)->off_ctl); len = _gnrc_tcp_pkt_get_pay_len(pkt); @@ -465,6 +472,12 @@ int _gnrc_tcp_pkt_acknowledge(gnrc_tcp_tcb_t *tcb, const uint32_t ack) } snp = gnrc_pktsnip_search_type(tcb->pkt_retransmit, GNRC_NETTYPE_TCP); + if (snp == NULL) { + TCP_DEBUG_ERROR("-EINVAL: snp == NULL."); + TCP_DEBUG_LEAVE; + return -EINVAL; + } + hdr = (tcp_hdr_t *) snp->data; /* There must be a packet, waiting to be acknowledged. */ diff --git a/sys/shell/cmds/gnrc_icmpv6_echo.c b/sys/shell/cmds/gnrc_icmpv6_echo.c index 4912ff63af..3c1c3776f6 100644 --- a/sys/shell/cmds/gnrc_icmpv6_echo.c +++ b/sys/shell/cmds/gnrc_icmpv6_echo.c @@ -292,6 +292,10 @@ static int _print_reply(gnrc_pktsnip_t *pkt, int corrupted, uint32_t triptime, v gnrc_pktsnip_t *ipv6 = gnrc_pktsnip_search_type(pkt, GNRC_NETTYPE_IPV6); gnrc_pktsnip_t *icmpv6 = gnrc_pktsnip_search_type(pkt, GNRC_NETTYPE_ICMPV6); + if (!ipv6 || !icmpv6) { + return -EINVAL; + } + ipv6_hdr_t *ipv6_hdr = ipv6->data; icmpv6_echo_t *icmpv6_hdr = icmpv6->data; diff --git a/sys/shell/cmds/gnrc_udp.c b/sys/shell/cmds/gnrc_udp.c index eceab45fbb..2bcf0147bb 100644 --- a/sys/shell/cmds/gnrc_udp.c +++ b/sys/shell/cmds/gnrc_udp.c @@ -90,7 +90,11 @@ static void _send(const char *addr_str, const char *port_str, /* add netif header, if interface was given */ if (netif != NULL) { gnrc_pktsnip_t *netif_hdr = gnrc_netif_hdr_build(NULL, 0, NULL, 0); - + if (netif_hdr == NULL) { + printf("Error: unable to allocate netif header\n"); + gnrc_pktbuf_release(ip); + return; + } gnrc_netif_hdr_set_netif(netif_hdr->data, container_of(netif, gnrc_netif_t, netif)); ip = gnrc_pkt_prepend(ip, netif_hdr);