A NULL 'list' passed into function dump_qlist() isn't correctly
validated and can be passed to qlist_first() where it is dereferenced.
This could be resolved by checking if the list is NULL in dump_qlist()
and returning immediately. However, the general case can be handled by
adding a NULL arg check to to qlist_first() and qlist_next() and all
the callers to those functions handle that cleanly.
Signed-off-by: Liam Merwick <liam.merw...@oracle.com>
Reviewed-by: Darren Kenny <darren.ke...@oracle.com>
Reviewed-by: Mark Kanda <mark.ka...@oracle.com>
---
include/qapi/qmp/qlist.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/include/qapi/qmp/qlist.h b/include/qapi/qmp/qlist.h
index 8d2c32ca2863..1ec716e2eb9e 100644
--- a/include/qapi/qmp/qlist.h
+++ b/include/qapi/qmp/qlist.h
@@ -58,11 +58,17 @@ void qlist_destroy_obj(QObject *obj);
static inline const QListEntry *qlist_first(const QList *qlist)
{
+ if (!qlist) {
+ return NULL;
+ }
return QTAILQ_FIRST(&qlist->head);
}
static inline const QListEntry *qlist_next(const QListEntry *entry)
{
+ if (!entry) {
+ return NULL;
+ }
return QTAILQ_NEXT(entry, next);
}
--
1.8.3.1
