From 27ff18cd43aae787fc74780044d0e2189d6e3d33 Mon Sep 17 00:00:00 2001 From: Richard Yao Date: Sat, 11 Mar 2023 13:21:04 -0500 Subject: [PATCH] Fix possible NULL pointer dereference in nvlist_lookup_nvpair_ei_sep() Clang's static analyzer complains about a possible NULL pointer dereference in nvlist_lookup_nvpair_ei_sep() because it unconditionally dereferences a pointer initialized by `nvpair_value_nvlist_array()` under the assumption that `nvpair_value_nvlist_array()` will always initialize the pointer without checking to see if an error was returned to indicate otherwise. This itself is improper error handling, so we fix it. However, fixing it to properly respond to errors is not enough to avoid a NULL pointer dereference, since we can receive NULL when the array is empty, so we also add a NULL check. Reviewed-by: Tino Reichardt Reviewed-by: Brian Behlendorf Signed-off-by: Richard Yao Closes #14612 --- module/nvpair/nvpair.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/module/nvpair/nvpair.c b/module/nvpair/nvpair.c index c494056c5c..023d496019 100644 --- a/module/nvpair/nvpair.c +++ b/module/nvpair/nvpair.c @@ -2057,8 +2057,11 @@ nvlist_lookup_nvpair_ei_sep(nvlist_t *nvl, const char *name, const char sep, nvl = EMBEDDED_NVL(nvp); break; } else if (nvpair_type(nvp) == DATA_TYPE_NVLIST_ARRAY) { - (void) nvpair_value_nvlist_array(nvp, - &nva, (uint_t *)&n); + if (nvpair_value_nvlist_array(nvp, + &nva, (uint_t *)&n) != 0) + goto fail; + if (nva == NULL) + goto fail; if ((n < 0) || (idx >= n)) goto fail; nvl = nva[idx];