Fix nullptr dereference in init_k8s_ssl()

bwolmarans · bwolmarans · commit 226820901f3a · 2018-01-18T14:17:32.000-08:00
diff --git a/userspace/libsinsp/sinsp.cpp b/userspace/libsinsp/sinsp.cpp
@@ -1872,46 +1872,47 @@ void sinsp::init_mesos_client(string* api_server, bool verbose)
 	}
 }
 
-void sinsp::init_k8s_ssl(const string &ssl_cert)
+void sinsp::init_k8s_ssl(const string *ssl_cert)
 {
 #ifdef HAS_CAPTURE
-	if(!ssl_cert.empty() && (!m_k8s_ssl || ! m_k8s_bt))
+	if(ssl_cert != nullptr && !ssl_cert->empty()
+	   && (!m_k8s_ssl || ! m_k8s_bt))
 	{
 		std::string cert;
 		std::string key;
 		std::string key_pwd;
 		std::string ca_cert;
 
 		// -K <bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>]
-		std::string::size_type pos = ssl_cert.find(':');
+		std::string::size_type pos = ssl_cert->find(':');
 		if(pos == std::string::npos) // ca_cert-only is obsoleted, single entry is now bearer token
 		{
-			m_k8s_bt = std::make_shared<sinsp_bearer_token>(ssl_cert);
+			m_k8s_bt = std::make_shared<sinsp_bearer_token>(*ssl_cert);
 		}
 		else
 		{
-			cert = ssl_cert.substr(0, pos);
+			cert = ssl_cert->substr(0, pos);
 			if(cert.empty())
 			{
-				throw sinsp_exception(string("Invalid K8S SSL entry: ") + ssl_cert);
+				throw sinsp_exception(string("Invalid K8S SSL entry: ") + *ssl_cert);
 			}
 
-			// pos < ssl_cert.length() so it's safe to take
+			// pos < ssl_cert->length() so it's safe to take
 			// substr() from head, but it may be empty
 			std::string::size_type head = pos + 1;
-			pos = ssl_cert.find(':', head);
+			pos = ssl_cert->find(':', head);
 			if (pos == std::string::npos)
 			{
-				key = ssl_cert.substr(head);
+				key = ssl_cert->substr(head);
 			}
 			else
 			{
-				key = ssl_cert.substr(head, pos - head);
-				ca_cert = ssl_cert.substr(pos + 1);
+				key = ssl_cert->substr(head, pos - head);
+				ca_cert = ssl_cert->substr(pos + 1);
 			}
 			if(key.empty())
 			{
-				throw sinsp_exception(string("Invalid K8S SSL entry: ") + ssl_cert);
+				throw sinsp_exception(string("Invalid K8S SSL entry: ") + *ssl_cert);
 			}
 
 			// Parse the password if it exists
@@ -1967,7 +1968,7 @@ void sinsp::init_k8s_client(string* api_server, string* ssl_cert, bool verbose)
 			delete m_k8s_client;
 			m_k8s_client = nullptr;
 		}
-		init_k8s_ssl(*ssl_cert);
+		init_k8s_ssl(ssl_cert);
 		make_k8s_client();
 	}
 }
@@ -2021,7 +2022,7 @@ void sinsp::k8s_discover_ext()
 				{
 					m_k8s_collector = std::make_shared<k8s_handler::collector_t>();
 				}
-				if(uri(*m_k8s_api_server).is_secure()) { init_k8s_ssl(*m_k8s_api_cert); }
+				if(uri(*m_k8s_api_server).is_secure()) { init_k8s_ssl(m_k8s_api_cert); }
 				m_k8s_ext_handler.reset(new k8s_api_handler(m_k8s_collector, *m_k8s_api_server,
 									    "/apis/extensions/v1beta1", "[.resources[].name]",
 									    "1.1", m_k8s_ssl, m_k8s_bt, true));
@@ -2094,7 +2095,7 @@ void sinsp::update_k8s_state()
 					}
 					if(uri(*m_k8s_api_server).is_secure() && (!m_k8s_ssl || ! m_k8s_bt))
 					{
-						init_k8s_ssl(*m_k8s_api_cert);
+						init_k8s_ssl(m_k8s_api_cert);
 					}
 					m_k8s_api_handler.reset(new k8s_api_handler(m_k8s_collector, *m_k8s_api_server,
 										    "/api", ".versions", "1.1",
diff --git a/userspace/libsinsp/sinsp.h b/userspace/libsinsp/sinsp.h
@@ -747,7 +747,7 @@ class SINSP_PUBLIC sinsp
 	*/
 	double get_read_progress();
 
-	void init_k8s_ssl(const string &ssl_cert);
+	void init_k8s_ssl(const string *ssl_cert);
 	void init_k8s_client(string* api_server, string* ssl_cert, bool verbose = false);
 	void make_k8s_client();
 	k8s* get_k8s_client() const { return m_k8s_client; }

Original file line number	Diff line number	Diff line change
`@@ -1872,46 +1872,47 @@ void sinsp::init_mesos_client(string* api_server, bool verbose)`
`1872`	`1872`	`}`
`1873`	`1873`	`}`
`1874`	`1874`
`1875`		`-void sinsp::init_k8s_ssl(const string &ssl_cert)`
	`1875`	`+void sinsp::init_k8s_ssl(const string *ssl_cert)`
`1876`	`1876`	`{`
`1877`	`1877`	`#ifdef HAS_CAPTURE`
`1878`		`- if(!ssl_cert.empty() && (!m_k8s_ssl \|\| ! m_k8s_bt))`
	`1878`	`+ if(ssl_cert != nullptr && !ssl_cert->empty()`
	`1879`	`+ && (!m_k8s_ssl \|\| ! m_k8s_bt))`
`1879`	`1880`	`{`
`1880`	`1881`	`std::string cert;`
`1881`	`1882`	`std::string key;`
`1882`	`1883`	`std::string key_pwd;`
`1883`	`1884`	`std::string ca_cert;`
`1884`	`1885`
`1885`	`1886`	`// -K <bt_file> \| <cert_file>:<key_file[#password]>[:<ca_cert_file>]`
`1886`		`- std::string::size_type pos = ssl_cert.find(':');`
	`1887`	`+ std::string::size_type pos = ssl_cert->find(':');`
`1887`	`1888`	`if(pos == std::string::npos) // ca_cert-only is obsoleted, single entry is now bearer token`
`1888`	`1889`	`{`
`1889`		`- m_k8s_bt = std::make_shared<sinsp_bearer_token>(ssl_cert);`
	`1890`	`+ m_k8s_bt = std::make_shared<sinsp_bearer_token>(*ssl_cert);`
`1890`	`1891`	`}`
`1891`	`1892`	`else`
`1892`	`1893`	`{`
`1893`		`- cert = ssl_cert.substr(0, pos);`
	`1894`	`+ cert = ssl_cert->substr(0, pos);`
`1894`	`1895`	`if(cert.empty())`
`1895`	`1896`	`{`
`1896`		`- throw sinsp_exception(string("Invalid K8S SSL entry: ") + ssl_cert);`
	`1897`	`+ throw sinsp_exception(string("Invalid K8S SSL entry: ") + *ssl_cert);`
`1897`	`1898`	`}`
`1898`	`1899`
`1899`		`- // pos < ssl_cert.length() so it's safe to take`
	`1900`	`+ // pos < ssl_cert->length() so it's safe to take`
`1900`	`1901`	`// substr() from head, but it may be empty`
`1901`	`1902`	`std::string::size_type head = pos + 1;`
`1902`		`- pos = ssl_cert.find(':', head);`
	`1903`	`+ pos = ssl_cert->find(':', head);`
`1903`	`1904`	`if (pos == std::string::npos)`
`1904`	`1905`	`{`
`1905`		`- key = ssl_cert.substr(head);`
	`1906`	`+ key = ssl_cert->substr(head);`
`1906`	`1907`	`}`
`1907`	`1908`	`else`
`1908`	`1909`	`{`
`1909`		`- key = ssl_cert.substr(head, pos - head);`
`1910`		`- ca_cert = ssl_cert.substr(pos + 1);`
	`1910`	`+ key = ssl_cert->substr(head, pos - head);`
	`1911`	`+ ca_cert = ssl_cert->substr(pos + 1);`
`1911`	`1912`	`}`
`1912`	`1913`	`if(key.empty())`
`1913`	`1914`	`{`
`1914`		`- throw sinsp_exception(string("Invalid K8S SSL entry: ") + ssl_cert);`
	`1915`	`+ throw sinsp_exception(string("Invalid K8S SSL entry: ") + *ssl_cert);`
`1915`	`1916`	`}`
`1916`	`1917`
`1917`	`1918`	`// Parse the password if it exists`
`@@ -1967,7 +1968,7 @@ void sinsp::init_k8s_client(string* api_server, string* ssl_cert, bool verbose)`
`1967`	`1968`	`delete m_k8s_client;`
`1968`	`1969`	`m_k8s_client = nullptr;`
`1969`	`1970`	`}`
`1970`		`- init_k8s_ssl(*ssl_cert);`
	`1971`	`+ init_k8s_ssl(ssl_cert);`
`1971`	`1972`	`make_k8s_client();`
`1972`	`1973`	`}`
`1973`	`1974`	`}`
`@@ -2021,7 +2022,7 @@ void sinsp::k8s_discover_ext()`
`2021`	`2022`	`{`
`2022`	`2023`	`m_k8s_collector = std::make_shared<k8s_handler::collector_t>();`
`2023`	`2024`	`}`
`2024`		`- if(uri(m_k8s_api_server).is_secure()) { init_k8s_ssl(m_k8s_api_cert); }`
	`2025`	`+ if(uri(*m_k8s_api_server).is_secure()) { init_k8s_ssl(m_k8s_api_cert); }`
`2025`	`2026`	`m_k8s_ext_handler.reset(new k8s_api_handler(m_k8s_collector, *m_k8s_api_server,`
`2026`	`2027`	`"/apis/extensions/v1beta1", "[.resources[].name]",`
`2027`	`2028`	`"1.1", m_k8s_ssl, m_k8s_bt, true));`
`@@ -2094,7 +2095,7 @@ void sinsp::update_k8s_state()`
`2094`	`2095`	`}`
`2095`	`2096`	`if(uri(*m_k8s_api_server).is_secure() && (!m_k8s_ssl \|\| ! m_k8s_bt))`
`2096`	`2097`	`{`
`2097`		`- init_k8s_ssl(*m_k8s_api_cert);`
	`2098`	`+ init_k8s_ssl(m_k8s_api_cert);`
`2098`	`2099`	`}`
`2099`	`2100`	`m_k8s_api_handler.reset(new k8s_api_handler(m_k8s_collector, *m_k8s_api_server,`
`2100`	`2101`	`"/api", ".versions", "1.1",`