nstat: NULL Dereference when no entries specified

The NULL Pointer Dereference vulnerability happens in load_ugly_table(), misc/nstat.c, in the latest version of iproute2.
The vulnerability can be triggered by:
1. db is set to NULL at struct nstat_ent *db = NULL;
2. n is set to NULL at n = db;
3. NULL dereference of variable n happens at sscanf(p+1, "%llu", &n->val) != 1

Signed-off-by: ZiAo Li <23110240084@m.fudan.edu.cn>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>

diff --git a/misc/nstat.c b/misc/nstat.c
index fce3e9c1ec792a2e7f163c3668cfd7d2bc2a979f..b2e19bde2df5447896e1576470d049034a1ecc1a 100644 (file)
--- a/misc/nstat.c
+++ b/misc/nstat.c
@@ -218,6 +218,10 @@ static void load_ugly_table(FILE *fp)
                        p = next;
                }
                n = db;
+               if (n == NULL) {
+                       fprintf(stderr, "Error: Invalid input – line has ':' but no entries. Add values after ':'.\n");
+                       exit(-2);
+               }
                nread = getline(&buf, &buflen, fp);
                if (nread == -1) {
                        fprintf(stderr, "%s:%d: error parsing history file\n",