DerefExpression: Add missing nullptr check

julianbrost · julianbrost · commit a02a4594f4b4 · 2025-10-08T10:04:52.000+02:00
Due to this missing check, evaluating a DSL expression can result in a null
dereference, crashing the Icinga 2 process. Given that API users can also
provide DSL expression as filters, this can be triggered over the network as
well.

This issue was assigned CVE-2025-61908.
diff --git a/lib/config/expression.cpp b/lib/config/expression.cpp
@@ -185,6 +185,10 @@ bool DerefExpression::GetReference(ScriptFrame& frame, bool init_dict, Value *pa
 
 	Reference::Ptr ref = operand.GetValue();
 
+	if (!ref) {
+		BOOST_THROW_EXCEPTION(ScriptError("Invalid reference specified.", GetDebugInfo()));
+	}
+
 	*parent = ref->GetParent();
 	*index = ref->GetIndex();
 	return true;
diff --git a/test/config-ops.cpp b/test/config-ops.cpp
@@ -241,6 +241,10 @@ BOOST_AUTO_TEST_CASE(advanced)
 	expr = ConfigCompiler::CompileText("<test>", "{{ 3 }}");
 	func = expr->Evaluate(frame).GetValue();
 	BOOST_CHECK(func->Invoke() == 3);
+
+	// Regression test for CVE-2025-61908
+	expr = ConfigCompiler::CompileText("<test>", "&*null");
+	BOOST_CHECK_THROW(expr->Evaluate(frame).GetValue(), ScriptError);
 }
 
 BOOST_AUTO_TEST_SUITE_END()
