Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2136807

Summary: utils/mount/parse_dev.c:173 potential NULL pointer dereference in nfs_parse_square_bracket()
Product: Red Hat Enterprise Linux 9 Reporter: Zhi Li <yieli>
Component: nfs-utilsAssignee: Steve Dickson <steved>
Status: CLOSED ERRATA QA Contact: Zhi Li <yieli>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.2CC: jiyin, xzhou, yoyang
Target Milestone: rcKeywords: Patch, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nfs-utils-2.5.4-16.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 08:19:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zhi Li 2022-10-21 12:25:07 UTC 
Description of problem:

There exists a potential NULL pointer dereference path in nfs_parse_square_bracket() of utils/mount/parse_dev.c

 129 /*
 130  * To handle raw IPv6 addresses (which contain colons), the
 131  * server's address is enclosed in square brackets.  Return
 132  * what's between the brackets.
 133  *
 134  * There could be anything in between the brackets, but we'll
 135  * let DNS resolution sort it out later.
 136  */
 137 static int nfs_parse_square_bracket(const char *dev,
 138                                     char **hostname, char **pathname)
 139 {
 140         size_t host_len, path_len;
 141         char *cbrace;
 142 
 143         dev++;
 144 
 145         /* Must have a closing square bracket */
 146         cbrace = strchr(dev, ']');
 147         if (cbrace == NULL)
 148                 return nfs_pdn_missing_brace_err();
 149         *cbrace = '\0';
 150         host_len = cbrace - dev;
 151 
 152         /* Must have a colon just after the closing bracket */
 153         cbrace++;
 154         if (*cbrace != ':')
 155                 return nfs_pdn_bad_format_err();
 156 
 157         if (host_len > NFS_MAXHOSTNAME)
 158                 return nfs_pdn_hostname_too_long_err();
 159 
 160         cbrace++;
 161         path_len = strlen(cbrace);
 162         if (path_len > NFS_MAXPATHNAME)
 163                 return nfs_pdn_pathname_too_long_err();
 164 
 165         if (hostname) {
 166                 *hostname = strndup(dev, host_len);
 167                 if (*hostname == NULL)
 168                         return nfs_pdn_nomem_err();
 169         }
 170         if (pathname) {
 171                 *pathname = strndup(cbrace, path_len);
 172                 if (*pathname == NULL) {
 173                         free(*hostname); // <<<< checked in line 165, but should test again here before dereference to avoid the NULL value
 174                         return nfs_pdn_nomem_err();
 175                 }
 176         }
 177         return 1;
 178 }

Version-Release number of selected component (if applicable):
nfs-utils-2.5.4-15

http://download.eng.bos.redhat.com/brewroot/vol/rhel-9/packages/nfs-utils/2.5.4/15.el9/src/nfs-utils-2.5.4-15.el9.src.rpm


Additional info:
find by clang-static-analyzer
Comment 1 Zhi Li 2022-10-21 12:29:00 UTC 
It is a similar issue as:

mount.nfs: fix null pointer derefernce in nfs_parse_simple_hostname
http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff;h=9c3d8687c96b7fe4a7920dc474e91f190b6d8f37

I will submit another patch to fix it.
Comment 2 Steve Dickson 2022-10-25 14:41:27 UTC 
ommit ea536a2e641664c8ea439e5e571e757785f587c9
Author: Zhi Li <yieli>
Date:   Mon Oct 24 13:31:41 2022 -0400

    mount.nfs: fix NULL pointer derefernce in nfs_parse_square_bracket
    
    In function nfs_parse_square_bracket, hostname could be NULL,
    dereferencing it in free(*hostname) may cause an unexpected segfault.
Comment 3 Yongcheng Yang 2022-11-15 10:52:48 UTC 
(In reply to Steve Dickson from comment #2)
This patch has already been applied to rhel9.
Comment 8 errata-xmlrpc 2023-05-09 08:19:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (nfs-utils bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2510