From: Shawn Routhier <sar@isc.org>
Date: Tue, 22 Nov 2011 23:56:50 +0000 (+0000)
Subject: Add a check for a null pointer before calling the regexec function.
X-Git-Tag: v4_3_0a1~138
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b95f1ee0701f658fbbbe497f535564717fbe604e;p=thirdparty%2Fdhcp.git

Add a check for a null pointer before calling the regexec function.
Without out this check we could, under some circumstances, pass
a null pointer to the regexec function causing it to segfault.
[ISC-Bugs #26704].
---

diff --git a/RELNOTES b/RELNOTES
index beeabf308..09becd0f1 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -39,6 +39,14 @@ The system has only been tested on Linux, FreeBSD, and Solaris, and may not
 work on other platforms. Please report any problems and suggested fixes to
 <dhcp-users@isc.org>.
 
+			Changes since 4.2.3
+
+! Add a check for a null pointer before calling the regexec function.
+  Without out this check we could, under some circumstances, pass
+  a null pointer to the regexec function causing it to segfault.
+  [ISC-Bugs #26704].
+  CVE:
+
 			Changes since 4.2.2
 
 - Fix the code that checks for an existing DDNS transaction to cancel
diff --git a/common/tree.c b/common/tree.c
index d09107b8b..20b2bc644 100644
--- a/common/tree.c
+++ b/common/tree.c
@@ -1120,6 +1120,7 @@ int evaluate_boolean_expression (result, packet, lease, client_state,
 		*result = 0;
 		memset(&re, 0, sizeof(re));
 		if (bleft && bright &&
+		    (left.data != NULL) &&
         	    (regcomp(&re, (char *)right.data, regflags) == 0) &&
 		    (regexec(&re, (char *)left.data, (size_t)0, NULL, 0) == 0))
 				*result = 1;