Syslinux - Oct 2013 - [PATCH 1/1] gpxe: fix possible null pointer dereference

Possibly authority variable (initialized with NULL) might be dereferenced when
an arbitrary path (without "//" on it) is supplied to parse_uri()
function

Signed-off-by: Felipe Pena <felipensp at gmail.com>
---
 gpxe/src/core/uri.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gpxe/src/core/uri.c b/gpxe/src/core/uri.c
index 6a1f2e5..4987821 100644
--- a/gpxe/src/core/uri.c
+++ b/gpxe/src/core/uri.c
@@ -151,7 +151,7 @@ struct uri * parse_uri ( const char *uri_string ) {
 	}
 
 	/* Split authority into user[:password] and host[:port] portions */
-	if ( ( tmp = strchr ( authority, '@' ) ) ) {
+	if ( authority != NULL && ( tmp = strchr ( authority, '@' ) )
) {
 		/* Has user[:password] */
 		*(tmp++) = '\0';
 		uri->host = tmp;
-- 
1.7.10.4

On Sep 23, 2013 10:06 PM, "Felipe Pena" <felipensp at gmail.com>
wrote:
>
> Possibly authority variable (initialized with NULL) might be dereferenced
when
> an arbitrary path (without "//" on it) is supplied to parse_uri()
function
>
> Signed-off-by: Felipe Pena <felipensp at gmail.com>
> ---
>  gpxe/src/core/uri.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/gpxe/src/core/uri.c b/gpxe/src/core/uri.c
> index 6a1f2e5..4987821 100644
> --- a/gpxe/src/core/uri.c
> +++ b/gpxe/src/core/uri.c
> @@ -151,7 +151,7 @@ struct uri * parse_uri ( const char *uri_string ) {
>         }
>
>         /* Split authority into user[:password] and host[:port] portions
*/
> -       if ( ( tmp = strchr ( authority, '@' ) ) ) {
> +       if ( authority != NULL && ( tmp = strchr ( authority,
'@' ) ) ) {
I don't know the source code but I'm wondering if a null authority
should
ever reach here.
>                 /* Has user[:password] */
>                 *(tmp++) = '\0';
>                 uri->host = tmp;
> --
> 1.7.10.4
>
> _______________________________________________
> Syslinux mailing list
> Submissions to Syslinux at zytor.com
> Unsubscribe or set options at:
> http://www.zytor.com/mailman/listinfo/syslinux
> Please do not send private replies to mailing list traffic.
>

Hi,

On Sun, Oct 6, 2013 at 1:22 AM, Leandro Dorileo <l at dorileo.org>
wrote:
> On Sep 23, 2013 10:06 PM, "Felipe Pena" <felipensp at
gmail.com> wrote:
>>
>> Possibly authority variable (initialized with NULL) might be
dereferenced
> when
>> an arbitrary path (without "//" on it) is supplied to
parse_uri() function
>>
>> Signed-off-by: Felipe Pena <felipensp at gmail.com>
>> ---
>>  gpxe/src/core/uri.c |    2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/gpxe/src/core/uri.c b/gpxe/src/core/uri.c
>> index 6a1f2e5..4987821 100644
>> --- a/gpxe/src/core/uri.c
>> +++ b/gpxe/src/core/uri.c
>> @@ -151,7 +151,7 @@ struct uri * parse_uri ( const char *uri_string ) {
>>         }
>>
>>         /* Split authority into user[:password] and host[:port]
portions
> */
>> -       if ( ( tmp = strchr ( authority, '@' ) ) ) {
>> +       if ( authority != NULL && ( tmp = strchr ( authority,
'@' ) ) ) {
>
> I don't know the source code but I'm wondering if a null authority
should
> ever reach here.
>
If the supplied path doesn't contains a "//" on it, this code
fragment
will work with a null authority there.
It was just my assumption that some usage of this function could to be
flawed about this.

>>                 /* Has user[:password] */
>>                 *(tmp++) = '\0';
>>                 uri->host = tmp;
>> --
>> 1.7.10.4
>>
>> _______________________________________________
>> Syslinux mailing list
>> Submissions to Syslinux at zytor.com
>> Unsubscribe or set options at:
>> http://www.zytor.com/mailman/listinfo/syslinux
>> Please do not send private replies to mailing list traffic.
>>
> _______________________________________________
> Syslinux mailing list
> Submissions to Syslinux at zytor.com
> Unsubscribe or set options at:
> http://www.zytor.com/mailman/listinfo/syslinux
> Please do not send private replies to mailing list traffic.
>


-- 
Regards,
Felipe Pena

On 09/23/2013 06:05 PM, Felipe Pena wrote:
> Possibly authority variable (initialized with NULL) might be dereferenced
when
> an arbitrary path (without "//" on it) is supplied to parse_uri()
function
> 
> Signed-off-by: Felipe Pena <felipensp at gmail.com>
> ---
>  gpxe/src/core/uri.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
We should kill the included gpxe and either replace it with ipxe or just
remove it entirely.

	-hpa

?????????,
???????? ?, ?? ??????? (212.122.187.225) ???? ????? ? ???????? DNS ?

# host 212.122.187.225
Host 225.187.122.212.in-addr.arpa. not found: 3(NXDOMAIN)

????, ????????? ????? ( ??? ?????? ????????? ?? ???????? ??? ???? ? ??? ???? ) ?
??????????? ?? ?????? ???????? ?? ????????? ?? ..

????????,
?????? ????????

-----Original Message-----
From: syslinux-bounces at zytor.com [mailto:syslinux-bounces at zytor.com] On
Behalf Of H. Peter Anvin
Sent: Tuesday, October 08, 2013 1:44 AM
To: syslinux at zytor.com
Subject: Re: [syslinux] [PATCH 1/1] gpxe: fix possible null pointer dereference

On 09/23/2013 06:05 PM, Felipe Pena wrote:
> Possibly authority variable (initialized with NULL) might be 
> dereferenced when an arbitrary path (without "//" on it) is
supplied
> to parse_uri() function
> 
> Signed-off-by: Felipe Pena <felipensp at gmail.com>
> ---
>  gpxe/src/core/uri.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
We should kill the included gpxe and either replace it with ipxe or just remove
it entirely.

	-hpa


_______________________________________________
Syslinux mailing list
Submissions to Syslinux at zytor.com
Unsubscribe or set options at:
http://www.zytor.com/mailman/listinfo/syslinux
Please do not send private replies to mailing list traffic.




-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2012.0.2242 / Virus Database: 3222/6229 - Release Date: 10/07/13