Null pointer dereference

Question

Null pointer dereference

Closed this issue 8 months ago · 2 comments

hello, I found a bug of null-pointer-dereference in the source code of dynamips , would you help me check if this bug is true?Thank you very much!
here is an overview of bug occurrence.

step1:
in file dynamips/common/rom2c.c, line 63:
call elf32_getehdr and load its return value to ehdr(addtionally,img_elf is guaranteed not to be null according to line 46)

step2:
in file libelf/elf32_getehdr.c, line 92:
call getehdr_impl, img_elf is used as the 1st parameter

step3:
in file libelf/elf32_getehdr.c, line 53/71:
there are two paths that may return null(though with low possibility)

step4:
in file libelf/elf32_getehdr.c, line 95:
return result to caller which can be null

step5:
in file dynamips/common/rom2c.c, line 63:
load return value of elf32_getehdr to ehdr which can be null

step6:
in file dynamips/common/rom2c.c, line 74:
derefer ehdr without check if ehdr is null

Answer 1 · 2021-12-17T03:43:49.000Z

is this bug is true? or false.looking forward to your reply.

Answer 2 · 2024-04-04T17:27:28.000Z

Not a bug.
Passing the elf32_getphdr check before that code guarantees that this path is not taken.