Fix potential NULL pointer dereference in lzc_ioctl()

ryao · web-flow · commit 19516b69ee41 · 2022-10-14T13:33:22.000-07:00
Users are allowed to pass NULL to resultp, but we unconditionally assume that they never do. When an external user does pass NULL to resultp, we dereference a NULL pointer. Clang's static analyzer complained about this. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Reviewed-by: Ryan Moeller <ryan@iXsystems.com> Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu> Closes #14008
diff --git a/lib/libzfs_core/libzfs_core.c b/lib/libzfs_core/libzfs_core.c
@@ -235,7 +235,7 @@ lzc_ioctl(zfs_ioc_t ioc, const char *name,
 			break;
 		}
 	}
-	if (zc.zc_nvlist_dst_filled) {
+	if (zc.zc_nvlist_dst_filled && resultp != NULL) {
 		*resultp = fnvlist_unpack((void *)(uintptr_t)zc.zc_nvlist_dst,
 		    zc.zc_nvlist_dst_size);
 	}

Original file line number	Diff line number	Diff line change
`@@ -235,7 +235,7 @@ lzc_ioctl(zfs_ioc_t ioc, const char *name,`
`235`	`235`	`break;`
`236`	`236`	`}`
`237`	`237`	`}`
`238`		`- if (zc.zc_nvlist_dst_filled) {`
	`238`	`+ if (zc.zc_nvlist_dst_filled && resultp != NULL) {`
`239`	`239`	`resultp = fnvlist_unpack((void )(uintptr_t)zc.zc_nvlist_dst,`
`240`	`240`	`zc.zc_nvlist_dst_size);`
`241`	`241`	`}`