Two bugs may lead to NULL dereference.

[tluio]

1. sys/pipe/pipe_dynamic.c
   If malloc returns NULL on line 41, the variable m_pipe will be NULL, but the pointer to m_pipe->pipe is returned on line 46.

2. drivers/usbdev_mock/usbdev_mock.c
   The variable res is checked on line 88 which indicates that it can be NULL, but the pointer to res->ep is returned on line 97.

[tluio]

In sys/net/gnrc/routing/rpl/gnrc_rpl_control_messages.c:
It can be inferred that dst can be NULL on line 1216, but it is dereferenced in gnrc_rpl_validation_DAO_ACK on line 1220.
And dst on line 677 seems to be the same.

[fjmolinas]

@bergzand can you check the one targeting usb?

[fjmolinas]

@cgundogan can you take a look at the rpl issue?

[fjmolinas]

Thanks for the catch @tluio, how did you come across these bugs, did you use some kind of vulnerability scanner?

[tluio]

Thanks for the catch @tluio, how did you come across these bugs, did you use some kind of vulnerability scanner?

It's my pleasure! Yes, I used a static code analysis tool written by myself.

[wosym]

@tluio Must be quite an impressive tool, seeing that you've managed to find 3 obscure bugs in RIOT, and some more in Zephyr and some other repos in only a few days time!
Are you planning to opensource this tool? Because I'm curious to see how it works :)

[tluio]

Thanks for your interest!
Our tool is still under development, so we consider releasing it in the future :)
Any suggestion to our bug report will be helpful to improving our tool.

[Citrullin]

Thanks for your interest!
Our tool is still under development, so we consider releasing it in the future :)
Any suggestion to our bug report will be helpful to improving our tool.

Sounds like a tool you may want to present on an important conference. ;) Blackhat, Chaos Communication Congress or something similar.