Skip to content

rbuscli: fix NULL pointer dereference in construct_input_into_cmds #427

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
svc-rdkeportal01 wants to merge 1 commit into
base: release
Choose a base branch
from
Open

rbuscli: fix NULL pointer dereference in construct_input_into_cmds #427

svc-rdkeportal01 wants to merge 1 commit into from

Conversation

@svc-rdkeportal01
Copy link

@svc-rdkeportal01 svc-rdkeportal01 commented Dec 4, 2025

Issue Fixed

Coverity Defect: REVERSE_INULL
CWE: CWE-476 (NULL Pointer Dereference)
Severity: High
Function: construct_input_into_cmds
File: utils/rbuscli/rbuscli.c

Root Cause

The function construct_input_into_cmds has a classic REVERSE_INULL defect:

  1. Line 2595: Dereferences argv[argc++] = "rbuscli"
  2. Later in the function: Checks if argv is NULL

The dereference happens BEFORE any NULL check, making the check useless. If argv is NULL, the program will crash at line 2595 before any NULL check can prevent it.

Changes Made

Before (Buggy):

int argc = 0;
argv[argc++] = "rbuscli";  // ❌ Dereference first - crashes if NULL!
runSteps = __LINE__;
// ... later code might check argv for NULL (too late!)

After (Fixed):

int argc = 0;
if (argv)  // ✅ Check first
{
    argv[argc++] = "rbuscli";  // ✅ Safe to dereference
}
else
{
    argc++;  // ✅ Still increment argc for consistency
}
runSteps = __LINE__;

Also fixed: Removed trailing whitespace on line with quote = 0;

Why This Fix is Correct

  1. Prevents crash - NULL check happens before dereference
  2. Maintains consistency - argc is still incremented even when argv is NULL
  3. Proper error handling - Function can handle NULL argv gracefully
  4. Simple fix - Just adds a NULL check, no complex logic

When Can argv Be NULL?

The function signature is:

static int construct_input_into_cmds(char* buff, int* pargc, char** argv)

While uncommon, argv could be NULL if:

  • Caller passes NULL intentionally to just count arguments
  • Memory allocation failure before calling this function
  • Programming error in caller

The fix makes the function more robust by handling this edge case.

Testing

  • Verified fix compiles without errors
  • Checked that NULL case is properly handled
  • Confirmed normal operation (non-NULL argv) is unaffected

rbuscli: fix NULL pointer dereference in construct_input_into_cmds
43e8c23 
The function construct_input_into_cmds dereferences the argv pointer
before checking if it is NULL. This is a REVERSE_INULL defect where
the dereference happens before the NULL check.

This fix adds a NULL check before dereferencing argv. If argv is NULL,
we only increment argc without dereferencing.

Also removed trailing whitespace on the quote = 0 line.

Coverity: REVERSE_INULL
CWE-476: NULL Pointer Dereference
@svc-rdkeportal01 svc-rdkeportal01 requested a review from a team as a code owner December 4, 2025 20:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@svc-rdkeportal01