Skip to content

fix(mdns): Fix null pointer exception in mdns_parse_packet (IDFGH-17353)#1025

Open
scaiper wants to merge 1 commit intoespressif:masterfrom
scaiper:fix-npe
Open

fix(mdns): Fix null pointer exception in mdns_parse_packet (IDFGH-17353)#1025
scaiper wants to merge 1 commit intoespressif:masterfrom
scaiper:fix-npe

Conversation

@scaiper
Copy link

@scaiper scaiper commented Mar 9, 2026
edited by cursor bot
Loading

Description

This PR fixes a null pointer exception in mdns component.
In mdns_parse_packet function there is a call to remove_parsed_question which might get parsed_packet with the NULL questions field.
https://github.com/espressif/esp-protocols/blob/mdns-v1.10.1/components/mdns/mdns_receive.c#L860

There is the log of the crash. Backtrace points to the neighboring call, probably, due to compiler optimizations.

Guru Meditation Error: Core  0 panic'ed (Load access fault). Exception was unhandled.

--- Backtrace:


add symbol table from file "/home/scaiper/config/.esphome/build/test/build/bootloader/bootloader.elf"
question_matches (question=question@entry=0x0, type=type@entry=50, service=service@entry=0x3fcaf6e0) at /home/scaiper/config/.esphome/build/test/managed_components/espressif__mdns/mdns_receive.c:520
520         if (question->type != type) {
#0  question_matches (question=question@entry=0x0, type=type@entry=50, service=service@entry=0x3fcaf6e0) at /home/scaiper/config/.esphome/build/test/managed_components/espressif__mdns/mdns_receive.c:520
#1  0x4202d76e in remove_parsed_question (parsed_packet=0x3fcae294, type=50, service=0x3fcaf6e0) at /home/scaiper/config/.esphome/build/test/managed_components/espressif__mdns/mdns_receive.c:557
#2  0x4202e426 in mdns_parse_packet (packet=0x3fcb086c) at /home/scaiper/config/.esphome/build/test/managed_components/espressif__mdns/mdns_receive.c:862
#3  mdns_priv_receive_action (action=action@entry=0x3fcafa40, type=type@entry=ACTION_RUN) at /home/scaiper/config/.esphome/build/test/managed_components/espressif__mdns/mdns_receive.c:1276
#4  0x4202c8da in execute_action (action=0x3fcafa40) at /home/scaiper/config/.esphome/build/test/managed_components/espressif__mdns/mdns_service.c:182
#5  service_task (pvParameters=<optimized out>) at /home/scaiper/config/.esphome/build/test/managed_components/espressif__mdns/mdns_service.c:211
#6  0x00000000 in ?? ()
Backtrace stopped: frame did not save the PC

Related

All of my esphome devices running esp32 started crashing with this error after I updated my routers to OpenWrt 25.12.
I don't know, are mdns packets causing this issue valid or not. Regardless, mdns componets should not just crash.

Testing

Checklist

Before submitting a Pull Request, please ensure the following:

  • 🚨 This PR does not introduce breaking changes.
  • All CI checks (GH Actions) pass. (approval needed)
  • Documentation is updated as needed. (not needed)
  • Tests are updated or added as necessary. (not needed)
  • Code is well-commented, especially in complex areas.
  • Git history is clean — commits are squashed to the minimum necessary.

Note

Low Risk
Low risk: adds a simple NULL check to avoid dereferencing an empty questions list during mDNS packet parsing, with no behavioral change when questions are present.

Overview
Prevents a crash in mdns_parse_packet by making remove_parsed_question return early when parsed_packet->questions is NULL, avoiding a null dereference in question_matches for packets that produce no saved questions.

Written by Cursor Bugbot for commit 5681209. This will update automatically on new commits. Configure here.

@CLAassistant
Copy link

CLAassistant commented Mar 9, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@scaiper scaiper marked this pull request as ready for review March 9, 2026 21:11
@github-actions github-actions bot changed the title fix(mdns): Fix null pointer exception in mdns_parse_packet fix(mdns): Fix null pointer exception in mdns_parse_packet (IDFGH-17353) Mar 9, 2026
@espressif-bot espressif-bot added the Status: Opened Issue is new label Mar 9, 2026
david-cermak
david-cermak approved these changes Mar 13, 2026
View reviewed changes
Copy link
Collaborator

@david-cermak david-cermak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @scaiper

Thank you for your contribution!
I briefly checked and it seems to be possible that the question list is NULL while nr of questions is non zero in the packet header (and even with valid packets!).
thanks again for the fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@david-cermak david-cermak david-cermak approved these changes

Assignees

@david-cermak david-cermak

Labels

mdns mdns-fuzz Status: Opened Issue is new

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@scaiper @CLAassistant @david-cermak @espressif-bot