Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segfault trying to dereference NULL pointer. #435

Open
stephen-hunt opened this issue Feb 12, 2024 · 0 comments
Open

Segfault trying to dereference NULL pointer. #435

stephen-hunt opened this issue Feb 12, 2024 · 0 comments

Comments

@stephen-hunt
Copy link

My team and I are using CF for our project. During development and testing, I hit a segfault. I already debugged it and am writing this to share with the open source community.

Describe the bug
CF app experiences segfault.

Issue
File: cf_cfdp.c
Function: CF_CFDP_RecvIdle()

Within that function, there is a logical path where you can enter the else statement that states "R2 can handle missing metadata, so go ahead and create a temp file". The following then happens:

CF_CFDP_RecvIdle()--->else /* R2 can handle missing metadata...--->CF_CFDP_DispatchRecv(t, ph)--->CF_CFDP_R2_Recv(t)--->CF_CFDP_R2_SubstateRecvFileData(t)--->CF_CFDP_R2_Reset(t)--->CF_CFDP_R1_Reset(t)--->CF_CFDP_ResetTransaction(t)--->CF_FreeTransaction(t)--->Set Everything in t to 0 including pointers--->Come back out into the CF_CFDP_RecvIdle() function and continue--->if (t->state == CF_TxnState_IDLE){}(Of course it is, everything was just set to 0)--->CF_CFDP_ResetTransaction(t)--->if (t->history->dir == CF_Direction_TX)--->SEGFAULT because history (a pointer) was set to NULL by CF_FreeTransaction().

My Quick Fix
For my project, I just created a quick fix in  CF_CFDP_RecvIdle().

if (t->history != NULL && t->state == CF_TxnState_IDLE) { /* state was not changed, so free the transaction */ CF_CFDP_ResetTransaction(t, 0); }

There may be a more elegant fix.

To Reproduce
Not sure how to reproduce, it was a pretty specific path that we hit. Hopefully my description helps you artificially hit that path.

Expected behavior
Code does not segfault. It just continues forward.

Code snips
Mentioned above.

System observed on:

  • OS: Ubuntu 22.04

Additional context
I will say I ported the app to run as a standalone application on my Linux machine, so it occurred outside the expected environment, but the logical path is still there. And the changes I made were minimal. The issue occurred in an area of code that I did not touch.

Reporter Info
Stephen Hunt Turion Space

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant