Add a check for a null pointer before calling the regexec function.

Without out this check we could, under some circumstances, pass
a null pointer to the regexec function causing it to segfault.
[ISC-Bugs #26704].

diff --git a/RELNOTES b/RELNOTES
index beeabf308f79172df8fa73dc7fe092f82ffb3c0b..09becd0f1fc7c27d38ca9dae00b20116ec958013 100644 (file)
--- a/RELNOTES
+++ b/RELNOTES
@@ -39,6 +39,14 @@ The system has only been tested on Linux, FreeBSD, and Solaris, and may not
 work on other platforms. Please report any problems and suggested fixes to
 <dhcp-users@isc.org>.
 
+                       Changes since 4.2.3
+
+! Add a check for a null pointer before calling the regexec function.
+  Without out this check we could, under some circumstances, pass
+  a null pointer to the regexec function causing it to segfault.
+  [ISC-Bugs #26704].
+  CVE:
+
                        Changes since 4.2.2
 
 - Fix the code that checks for an existing DDNS transaction to cancel

diff --git a/common/tree.c b/common/tree.c
index d09107b8bbd587498f9cf0feb657b8c7358be6a9..20b2bc6447c7cc4a30b2d20ac5ccf3dbaf0b336e 100644 (file)
--- a/common/tree.c
+++ b/common/tree.c
@@ -1120,6 +1120,7 @@ int evaluate_boolean_expression (result, packet, lease, client_state,
                *result = 0;
                memset(&re, 0, sizeof(re));
                if (bleft && bright &&
+                   (left.data != NULL) &&
                    (regcomp(&re, (char *)right.data, regflags) == 0) &&
                    (regexec(&re, (char *)left.data, (size_t)0, NULL, 0) == 0))
                                *result = 1;