[PATCH libassuan] Fix NULL pointer dereference in _assuan_error().

Xi Wang xi.wang at gmail.com
Thu Nov 15 09:29:06 CET 2012


Multiple functions invoke _assuan_error() with a NULL ctx.

  if (!ctx)
    return _assuan_error (ctx, GPG_ERR_ASS_INV_VALUE);

Since _assuan_error() dereferences ctx, this patch adds a NULL check.
---
JOOC, did they ever triggered NULL pointer dereferences?  Some functions
seem to explicitly allow NULL ctx, such as assuan_sendfd():

  /* It is explicitly allowed to use (NULL, -1) as a runtime test to
     check whether descriptor passing is available. */

If a caller follows this comment, it's likely to trigger a bug.
---
 src/assuan-defs.h |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/assuan-defs.h b/src/assuan-defs.h
index f6cb9b4..161a28f 100644
--- a/src/assuan-defs.h
+++ b/src/assuan-defs.h
@@ -55,7 +55,8 @@
 #define LINELENGTH ASSUAN_LINELENGTH
 
 /* Generate an error code specific to a context.  */
-#define _assuan_error(ctx, errcode) gpg_err_make ((ctx)->err_source, errcode)
+#define _assuan_error(ctx, errcode) \
+  gpg_err_make ((ctx) ? (ctx)->err_source : GPG_ERR_SOURCE_DEFAULT, errcode)
 
 
 struct cmdtbl_s
-- 
1.7.10.4




More information about the Gnupg-devel mailing list