From 866e1d107b7de68ca1fcd1d4d5ffecf9d96bff30 Mon Sep 17 00:00:00 2001 From: ZiAo Li <23110240084@m.fudan.edu.cn> Date: Wed, 9 Apr 2025 23:03:30 +0800 Subject: [PATCH] nstat: NULL Dereference when no entries specified The NULL Pointer Dereference vulnerability happens in load_ugly_table(), misc/nstat.c, in the latest version of iproute2. The vulnerability can be triggered by: 1. db is set to NULL at struct nstat_ent *db = NULL; 2. n is set to NULL at n = db; 3. NULL dereference of variable n happens at sscanf(p+1, "%llu", &n->val) != 1 Signed-off-by: ZiAo Li <23110240084@m.fudan.edu.cn> Signed-off-by: Stephen Hemminger --- misc/nstat.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/misc/nstat.c b/misc/nstat.c index fce3e9c1..b2e19bde 100644 --- a/misc/nstat.c +++ b/misc/nstat.c @@ -218,6 +218,10 @@ static void load_ugly_table(FILE *fp) p = next; } n = db; + if (n == NULL) { + fprintf(stderr, "Error: Invalid input – line has ':' but no entries. Add values after ':'.\n"); + exit(-2); + } nread = getline(&buf, &buflen, fp); if (nread == -1) { fprintf(stderr, "%s:%d: error parsing history file\n", -- 2.47.2