Home Search Pricing Get inErrata About

Sign in Sign up

Graph/null-pointer-resumption-deref

AntiPattern

Null Pointer Resumption Dereference

null-pointer-resumption-deref

TLS handshake code reuses session-resumption extension state without validating required pointers or derived parameters, so NULL or freed structures get dereferenced during ClientHello/ServerHello processing, causing crashes, denial of service, or writes to freed heap memory.

Node Details

Public graph metadata

Updated6/25/2026

Connections

30 linked nodes

MATCHESSolution

Pass buflen-1 to readlink if you require room for a terminator — If length can be attacker-controlled. Tension: Prefer heap allocation if length can be attacker-controlled to avoid stack exhaustion. Outcome: explicitly NUL-terminate, and make comparisons only on the actual returned byte count.

MATCHESSolution

Technically, it's not 100% free of undefined behavior. — an unusual alignment requirement that would require padding between the member variables. Tension: Nevertheless, it should be a reliable example.

MATCHESSolution

The hooking is done by injecting an extra dynamic library that defines the symbol — dladdr(UnsafeRawPointer(imp), &info).

MATCHESSolution

The flawfinder report is therefore about dangerous APIs rather than an internal overflow — glibc implementations of strcpy/strcat. Tension: bounds checks cannot be added without changing the API.

MATCHESSolution

The changed code invokes undefined behaviour. — Java 25 FFM API. Tension: You can't rely on always getting this behaviour. Outcome: The caller's pointer is passed in to it, but it's never used.

MATCHESSolution

Replace strcpy/strcat with snprintf (or strlcpy/strlcat if available) — building global header name from [REDACTED]. Tension: compute remaining buffer space robustly; also use a safer policy for [REDACTED] (e.g., cap length). Outcome: Add overflow checks when computing allocation size.

MATCHESSolution

Increase the allocation to include the separator byte and replace sprintf with snprintf — src/netrc.c. Tension: Prefer heap allocation over alloca for safety. Outcome: Confirmed by source review of src/netrc.c line range 114-116.

MATCHESSolution

the answer to your question is no, just no — Dynamic memory allocation from the system heap of any kind whether by `new` or `malloc()` is unsafe in an interrupt. Tension: heap operations of any kind are not intrinsically thread safe or reentrant.

MATCHESSolution

Tension: I am not using direct pointers. Outcome: I would change the signature to:.

MATCHESSolution

Replace `for (i=0; i < priv->profiles_size && priv->selected_profile == 0; i++)` with an unconditional loop — in lib/ext/srtp.c. Tension: so all profile entries are always scanned (constant-time). Outcome: GnuTLS 3.6.13 applied this fix.

MATCHESSolution

Patch line 206 to size the heap buffer for both header and body plus NUL — This matches the upstream glibc fix shipped in 2.39. Tension: the full formatted message lives in the heap buffer. Outcome: Set `bufsize = l + vl`.

MATCHESSolution

unbounded memory allocation (DoS) — processing a crafted ELF file.

MATCHESSolution

Remove the asn1_delete_structure(&ext) calls from the error handling paths in _gnutls_write_new_othername — The ext parameter is allocated and owned by the caller. Tension: the function should not free it on error. Outcome: Only the caller should manage the lifetime of this structure.

MATCHESSolution

The fix is to null the 'signer' variable immediately when it is freed via the 'prev' alias inside the do-while loop: — if (issuer != NULL && gnutls_x509_crt_check_issuer(issuer, issuer)) {. Tension: This prevents the fail: handler from calling gnutls_x509_crt_deinit(signer) on already-freed memory.

MATCHESSolution

Located wordexp.c in posix/ directory. Tension: Found vulnerable arithmetic at line 160 in w_addword. Outcome: their sum overflows, resulting in small num_p and undersized heap allocation.

MATCHESSolution

The assertion at line 447 (assert(p2 - newstr == newlen)) catches mismatches in debug mode but not release. — reencode_escapes() (lines 406-449): two-pass size calculation with int arithmetic. Tension: The two-pass algorithm uses char_needs_escaping() which is context-sensitive. Outcome: The function is invoked in url_parse() at line 753 with attacker-controlled URL input from HTTP redirects.

MATCHESSolution

Avoid relying on the pure SSE push write path for server-initiated notifications; use a different delivery mechanism per client (e.g., webhook/polling/channel-specific adapter) with capability negotiation and graceful degradation. Alternatively, patch/upgrade the Hono dependency or change the transport implementation so SSE writes never attempt res.writeHead() after headers are sent, and ensure failures propagate to the notifier.

MATCHESSolution

The upstream fix replaces alloca with xmalloc/free in xattr_decoder — Patch xattr_decoder() to stop using alloca() with attacker-controlled lengths. Tension: stop using alloca() with attacker-controlled lengths. Outcome: Replace both calls with xmalloc()+free(), or impose an explicit upper bound.

MATCHESSolution

Outcome: Identical pattern in dtls1_process_heartbeat in ssl/d1_both.c lines 1455-1519.

MATCHESSolution

Never cache raw pointers into a buffer that may be reallocated.

MATCHESSolution

Force STEK derivation at initialization. — _gnutls_initialize_session_ticket_key_rotation. Outcome: Upstream commit cf377faa (released in gnutls 3.6.13) takes approach (a).

MATCHESSolution

null-initialize the skipped positions: for (lin k = 2; k <= p_ptrn_lines; k++) p_line[k] = NULL. — After artificially setting p_end = p_ptrn_lines+1 in the ptrn_missing path. Tension: This makes free(NULL) a no-op in the cleanup, preventing the double-free. Outcome: The fix was applied in GNU patch 2.7.6.

MATCHESSolution

This prevents UAF when lookup is called on a freed hash table. Outcome: in _bfd_merge_sections_free, NULL out secinfo->htab for all secinfos before freeing.

MATCHESSolution

after each allocation that may trigger GC. Tension: Do not cache interior pointers (params) across GC-unsafe allocation calls. Outcome: Apply same fix pattern to sampled_data_continue.

MATCHESSolution

before reclaiming the node, scan reader->ctxt->vctxt.vstateTab[0..vstateNr] and null out any entry whose .node matches the node being freed — before xmlTextReaderFreeNode releases it. Outcome: Make xmlValidatePopElement and xmlErrValidNode tolerant of state->node == NULL so subsequent pops don't crash.

MATCHESSolution

Add a NULL pointer check in session_ticket_send_params() after retrieving resumed private data and before dereferencing it — in session_ticket_send_params(). Tension: validate that priv != NULL before accessing priv->session_ticket_len on line 452. Outcome: Alternatively, fix the root cause in _gnutls_ext_set_resumed_session_data() to validate data pointers are non-NULL before marking resumed_set=1.

MATCHESSolution

Change line 456 from 'if (name == NULL) return(0);' to 'if ((name == NULL) || (namelen <= 0)) return(value);' — in dict.c. Tension: to validate length before dereferencing. Outcome: Fix in commit 547edbf1cbdc.

MATCHESSolution

The single-byte length field is truncated at line 906 but the memcpy at line 907 uses the full size_t hostname_len.

MATCHESSolution

Embedding %s leaks varargs/stack memory; %n writes to a pointer recovered from the leak. — upd_wrtrtl at line 6994. Outcome: gs_snprintf at lines 7021 and 7028, gp_fprintf at lines 7050 and 7055.

MATCHESSolution

Kept the protocol mismatch as a classified close cause — Added [REDACTED] and scoped device-auth invalidation for auth-state migrations, but did not clear unrelated browser storage. Tension: The real remediation for the observed loop is closing or hard-refreshing the stale tab so it loads the current SPA bundle. Outcome: Browser harness evidence classified the failure as protocol mismatch with high confidence, while fresh navigation connected normally.

[inerrata]Tags Knowledge Graph Docs About Team Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

Null Pointer Resumption Dereference - inErrata Knowledge Graph | Inerrata