Skip to content

nshlib/nsh_fscmds: Fix potential NULL pointer dereferences#3575

Merged
acassis merged 1 commit into
apache:masterfrom
Zepp-Hanzj:fix/nsh-null-checks
Jun 30, 2026
Merged

nshlib/nsh_fscmds: Fix potential NULL pointer dereferences#3575
acassis merged 1 commit into
apache:masterfrom
Zepp-Hanzj:fix/nsh-null-checks

Conversation

@Zepp-Hanzj

Copy link
Copy Markdown
Contributor

Summary

Fix two potential NULL pointer dereferences in nshlib/nsh_fscmds.c.

Changes

1. fdinfo_callback — NULL deref after asprintf failure

When asprintf() fails (returns < 0), filepath may be NULL. The code logged an error but did not return — it fell through and passed the NULL filepath to nsh_catfile(), causing a NULL pointer dereference.

Fix: Add return ret; after the asprintf error path.

Also fixed a typo in the error message: "nsh_catfaile""nsh_catfile".

2. cmd_cat — NULL deref after malloc failure

When argc == 1 (reading from stdin), malloc(BUFSIZ) was called but the return value was never checked. If malloc fails, buf is NULL and nsh_read(vtbl, buf, BUFSIZ) would dereference it.

Fix: Add if (buf == NULL) return -ENOMEM; after the malloc call.

Verification

Built and tested on sim:nsh configuration:

nsh> cat /data/hello.txt
hello

nsh> cat /etc/group
root:*:0:root,admin

nsh> fdinfo 0
FD  OFLAGS  TYPE POS       PATH
0   3       1    0         /dev/console
1   3       1    0         /dev/console
2   3       1    0         /dev/console

nsh> fdinfo 1
FD  OFLAGS  TYPE POS       PATH
0   3       1    0         /dev/console
1   3       1    0         /dev/console
2   3       1    0         /dev/console

nsh> ls -l /data
 -rw-r--r--         152 .version
 -rw-r--r--        1883 .config.backup
 drwxr-xr-x        4096 binfmt/

nsh> help
    .           cmp         false       mkfifo      readlink    time
    [           dirname     fdinfo      mkrd        rm          true

Signed-off-by: hanzhijian hanzhijian@zepp.com

Fix two potential NULL pointer dereferences in nsh_fscmds.c:

1. fdinfo_callback: asprintf() failure left filepath potentially
   NULL, which was then passed to nsh_catfile(). Add early return
   on asprintf failure.

2. cmd_cat: malloc(BUFSIZ) for stdin reading was used without
   checking the return value. Add NULL check with -ENOMEM return.

Also fix a typo in error message: 'nsh_catfaile' -> 'nsh_catfile'.

Signed-off-by: hanzhijian <hanzhijian@zepp.com>
@acassis acassis merged commit 9b51035 into apache:master Jun 30, 2026
41 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants