sys/pipe/pipe_dynamic.c
If malloc returns NULL on line 41, the variable m_pipe will be NULL, but the pointer to m_pipe->pipe is returned on line 46.
drivers/usbdev_mock/usbdev_mock.c
The variable res is checked on line 88 which indicates that it can be NULL, but the pointer to res->ep is returned on line 97.
In sys/net/gnrc/routing/rpl/gnrc_rpl_control_messages.c:
It can be inferred that dst can be NULL on line 1216, but it is dereferenced in gnrc_rpl_validation_DAO_ACK on line 1220.
And dst on line 677 seems to be the same.
@bergzand can you check the one targeting usb?
@cgundogan can you take a look at the rpl issue?
Thanks for the catch @tluio, how did you come across these bugs, did you use some kind of vulnerability scanner?
Thanks for the catch @tluio, how did you come across these bugs, did you use some kind of vulnerability scanner?
It's my pleasure! Yes, I used a static code analysis tool written by myself.
@tluio Must be quite an impressive tool, seeing that you've managed to find 3 obscure bugs in RIOT, and some more in Zephyr and some other repos in only a few days time!
Are you planning to opensource this tool? Because I'm curious to see how it works :)
Thanks for your interest!
Our tool is still under development, so we consider releasing it in the future :)
Any suggestion to our bug report will be helpful to improving our tool.
Thanks for your interest!
Our tool is still under development, so we consider releasing it in the future :)
Any suggestion to our bug report will be helpful to improving our tool.
Sounds like a tool you may want to present on an important conference. ;) Blackhat, Chaos Communication Congress or something similar.