Security: NULL pointer dereference in writer due to pipe function result handling.

The GCC -fanalyzer parameter helped me discover this one.

The status_pipe is being read and processed.
There is a case where the status_pipe is being set but it is not being reset after handling.
In a later loop the pipe does not get read but the previously set state is used bringing the code into a bad state.
Then the loop doesn't do the block buffer used check and this results in the eventual NULL dereference.

diff --git a/level_3/fss_write/c/payload/fss_write.c b/level_3/fss_write/c/payload/fss_write.c
index 53063a40f0b6948ef7269c3883f7c712693e74d2..ab3a051918d84f914c7db8ecb50929fee422af43 100644 (file)
--- a/level_3/fss_write/c/payload/fss_write.c
+++ b/level_3/fss_write/c/payload/fss_write.c
@@ -117,6 +117,7 @@ extern "C" {
 
         range.start = 0;
         range.stop = setting->block.used - 1;
+        status_pipe = F_none;
       }
 
       // Start Object.
@@ -139,7 +140,7 @@ extern "C" {
           break;
         }
 
-        for (; range.start <= range.stop; ++range.start) {
+        for (; range.start <= range.stop && range.start < setting->block.used; ++range.start) {
 
           // Do not handle start/end while inside an ignore set.
           if (!(flag & 0x2)) {
@@ -248,7 +249,7 @@ extern "C" {
             break;
           }
 
-          for (; range.start <= range.stop; ++range.start) {
+          for (; range.start <= range.stop && range.start < setting->block.used; ++range.start) {
 
             // Do not handle start/end while inside an ignore set.
             if (!(flag & 0x2)) {