From: Kevin Day <kevin@kevux.org>
Date: Thu, 26 Jan 2023 00:56:04 +0000 (-0600)
Subject: Security: NULL pointer dereference in writer due to pipe function result handling.
X-Git-Url: https://git.kevux.org/?a=commitdiff_plain;h=77969088e4a0f85fa310434c39414794816d8329;p=fll

Security: NULL pointer dereference in writer due to pipe function result handling.

The GCC -fanalyzer parameter helped me discover this one.

The status_pipe is being read and processed.
There is a case where the status_pipe is being set but it is not being reset after handling.
In a later loop the pipe does not get read but the previously set state is used bringing the code into a bad state.
Then the loop doesn't do the block buffer used check and this results in the eventual NULL dereference.
---

diff --git a/level_3/fss_write/c/payload/fss_write.c b/level_3/fss_write/c/payload/fss_write.c
index 53063a4..ab3a051 100644
--- a/level_3/fss_write/c/payload/fss_write.c
+++ b/level_3/fss_write/c/payload/fss_write.c
@@ -117,6 +117,7 @@ extern "C" {
 
         range.start = 0;
         range.stop = setting->block.used - 1;
+        status_pipe = F_none;
       }
 
       // Start Object.
@@ -139,7 +140,7 @@ extern "C" {
           break;
         }
 
-        for (; range.start <= range.stop; ++range.start) {
+        for (; range.start <= range.stop && range.start < setting->block.used; ++range.start) {
 
           // Do not handle start/end while inside an ignore set.
           if (!(flag & 0x2)) {
@@ -248,7 +249,7 @@ extern "C" {
             break;
           }
 
-          for (; range.start <= range.stop; ++range.start) {
+          for (; range.start <= range.stop && range.start < setting->block.used; ++range.start) {
 
             // Do not handle start/end while inside an ignore set.
             if (!(flag & 0x2)) {