Skip to content

rbus: fix NULL pointer dereference in _subscribe_async_callback_handler #423

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
svc-rdkeportal01 wants to merge 1 commit into
base: release
Choose a base branch
from
Open

rbus: fix NULL pointer dereference in _subscribe_async_callback_handler #423

svc-rdkeportal01 wants to merge 1 commit into from

Conversation

@svc-rdkeportal01
Copy link

@svc-rdkeportal01 svc-rdkeportal01 commented Dec 4, 2025

Issue Fixed

Coverity Defect: REVERSE_INULL
CWE: CWE-476 (NULL Pointer Dereference)
Severity: High
Function: _subscribe_async_callback_handler
File: src/rbus/rbus.c

Root Cause

The function _subscribe_async_callback_handler has a classic REVERSE_INULL defect:

  1. Line 1367: Dereferences subscription->asyncHandler
  2. Line 1368: Checks if subscription is NULL

The NULL check comes AFTER the dereference, making it useless. If subscription is NULL, the program will crash at line 1367 before reaching the NULL check.

Changes Made

Before (Buggy):

subscription->asyncHandler(subscription->handle, subscription, error);  // ❌ Dereference first
if(subscription)  // ❌ Check second - too late!
{
    // ... rest of code
}

After (Fixed):

if(subscription)  // ✅ Check first
{
    subscription->asyncHandler(subscription->handle, subscription, error);  // ✅ Dereference second - safe!
    // ... rest of code
}
else
{
    RBUSLOG_ERROR("Null subscription pointer in _subscribe_async_callback_handler");
}

Why This Fix is Correct

  1. Prevents crash - NULL check happens before dereference
  2. Proper error handling - Logs error when subscription is NULL
  3. Simple fix - Just reorder the code, no complex logic
  4. Maintains functionality - All existing logic preserved, just safer

Testing

  • Verified fix compiles without errors
  • Checked that NULL case is properly handled
  • Confirmed error logging is in place

rbus: fix NULL pointer dereference in _subscribe_async_callback_handler
fc4b392 
The function _subscribe_async_callback_handler dereferences the subscription
pointer before checking if it is NULL. This is a REVERSE_INULL defect where
the NULL check comes after the dereference, making it ineffective.

This fix moves the NULL check before the dereference and adds error logging
for the NULL case.

Coverity: REVERSE_INULL
CWE-476: NULL Pointer Dereference
@svc-rdkeportal01 svc-rdkeportal01 requested a review from a team as a code owner December 4, 2025 20:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@svc-rdkeportal01