Skip to content

rbus: fix NULL pointer dereference in rbusEvent_SubscribeRawData #421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
svc-rdkeportal01 wants to merge 1 commit into
base: release
Choose a base branch
from
Open

rbus: fix NULL pointer dereference in rbusEvent_SubscribeRawData #421

svc-rdkeportal01 wants to merge 1 commit into from

Conversation

@svc-rdkeportal01
Copy link

@svc-rdkeportal01 svc-rdkeportal01 commented Dec 4, 2025

Issue Fixed

Coverity Defect: FORWARD_NULL
CWE: CWE-476 (NULL Pointer Dereference)
Severity: HIGH
Function: rbusEvent_SubscribeRawData
File: src/rbus/rbus.c

Root Cause

The function rbusEvent_SubscribeRawData calls rbusEventSubscription_find() which can return NULL, but then unconditionally dereferences the returned pointer when accessing subInternal->sub and subInternal->subscriptionId.

This occurs in two locations:

  1. Line 5322 - In the if(myConn) branch when calling rbusMessage_AddPrivateListener()
  2. Line 5340 - In the else branch when calling rbusMessage_AddListener()

Changes Made

Added NULL checks before dereferencing subInternal in both branches:

Location 1: if(myConn) branch

if(subInternal)
{
    errorcode = rbusMessage_AddPrivateListener(handle, rawDataTopic, _subscribe_rawdata_handler, 
                                                (void *)(subInternal->sub), subInternal->subscriptionId);
}
else
{
    RBUSLOG_ERROR("%s: subInternal is NULL for %s", __FUNCTION__, eventName);
    errorcode = RBUS_ERROR_INVALID_INPUT;
}

Location 2: else branch

if(subInternal)
{
    errorcode = rbusMessage_AddListener(handle, rawDataTopic,
                                        _subscribe_rawdata_handler, (void *)(subInternal->sub), 
                                        subInternal->subscriptionId);
}
else
{
    RBUSLOG_ERROR("%s: subInternal is NULL for %s", __FUNCTION__, eventName);
    errorcode = RBUS_ERROR_INVALID_INPUT;
}

Why This Fix is Correct

  1. Prevents crash - NULL pointer dereference would cause segmentation fault
  2. Proper error handling - Returns RBUS_ERROR_INVALID_INPUT when subscription not found
  3. Consistent with codebase - Other call sites already check for NULL
  4. Maintains functionality - Only adds safety check, doesn't change logic
  5. Clear error logging - Logs which event name caused the NULL condition

Testing

  • Verified fix compiles without errors
  • Checked that error path is properly handled
  • Confirmed both branches (if and else) are fixed

rbus: fix NULL pointer dereference in rbusEvent_SubscribeRawData
e0d34d3 
The function rbusEvent_SubscribeRawData calls rbusEventSubscription_find()
which can return NULL, but then unconditionally dereferences the returned
pointer when calling rbusMessage_AddPrivateListener() and rbusMessage_AddListener().

This fix adds NULL checks before dereferencing subInternal->sub and
subInternal->subscriptionId in both the if(myConn) and else branches.

Coverity: FORWARD_NULL
CWE-476: NULL Pointer Dereference
@svc-rdkeportal01 svc-rdkeportal01 requested a review from a team as a code owner December 4, 2025 19:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@svc-rdkeportal01