Skip to content

Potential Null Pointer Dereference in esxUtil_ParseDatastorePath in src/esx/esx_util.c

Component: libvirt / ESX driver

Version: libvirt 10.5.0

Severity: NORMAL

Description: In the function esxUtil_ParseDatastorePath in the file src/esx/esx_util.c, there is a potential vulnerability related to null pointer dereference. The function accepts a string parameter datastorePath and parses the datastore path in the format [datastore] path/to/file. However, if the input parameter datastorePath is NULL, the function may attempt to dereference a pointer without prior validation, leading to undefined behavior or a program crash.

Steps to Reproduce:

  1. Call the esxUtil_ParseDatastorePath function with the parameter datastorePath = NULL.
  2. The function attempts to process the string using STRSKIP without checking for NULL.
  3. A null pointer dereference occurs, causing a program crash.

Expected Behavior: The function should safely handle cases where datastorePath is NULL or an empty string, returning an error (e.g., -1) and setting an appropriate error message using virReportError.

Actual Behavior: When NULL or an empty string is passed to esxUtil_ParseDatastorePath, a null pointer dereference occurs, leading to a program crash.

Code Analysis: The problematic code fragment (based on a typical implementation):

int
esxUtil_ParseDatastorePath(const char *datastorePath, char **datastoreName,
                           char **directoryName, char **directoryAndFileName)
{
    ...
    copyOfDatastorePath = g_strdup(datastorePath);

    /* Expected format: '[<datastore>] <path>' where <path> is optional */
    if (!(tmp = STRSKIP(copyOfDatastorePath, "[")) || *tmp == ']' ||
        !(preliminaryDatastoreName = strtok_r(tmp, "]", &saveptr))) {
        virReportError(VIR_ERR_INVALID_ARG,
                       _("Datastore path '%1$s' doesn't have expected format '[<datastore>] <path>'"),
                       datastorePath);
        goto cleanup;
    }
}

If g_strdup returns NULL (e.g., due to memory allocation failure or if datastorePath is NULL), subsequent operations with copyOfDatastorePath cause undefined behavior.

Proposed Fix: To address the issue, add checks for NULL and empty strings before processing datastorePath.

Suggested Actions:

  1. Add a check for the input parameter datastorePath to ensure it is not NULL or an empty string.
  2. Add a check for the result of g_strdup to ensure it is not NULL.

Additional Notes:

  • The issue may have been detected using the static analysis tool SVACE.

Reported By: Alex Newrow

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information