From 73a11f40842d6c3628d8ca37df6514f67c25eede Mon Sep 17 00:00:00 2001 From: rdondeti Date: Sat, 28 Mar 2026 23:32:12 -0500 Subject: [PATCH 1/2] cachedb_memcached: fix NULL deref when memcached_create() returns NULL memcached_create(NULL) can return NULL on allocation failure. The existing code never checks the return value, so a NULL memc pointer falls through to memcached_server_push(NULL, ...) which dereferences the NULL pointer. Add an explicit NULL check after memcached_create(), following the existing error-handling pattern in the function (pkg_free + return 0). Found during a systematic audit of cachedb backends following the cachedb_redis NULL-deref fix in commit 8fb569cb3. --- modules/cachedb_memcached/cachedb_memcached.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/cachedb_memcached/cachedb_memcached.c b/modules/cachedb_memcached/cachedb_memcached.c index 9efdfc29616..f2fd4e8eab5 100644 --- a/modules/cachedb_memcached/cachedb_memcached.c +++ b/modules/cachedb_memcached/cachedb_memcached.c @@ -400,6 +400,11 @@ memcached_con* memcached_new_connection(struct cachedb_id *id) con->ref = 1; con->memc = memcached_create(NULL); + if (!con->memc) { + LM_ERR("failed to create memcached handle\n"); + pkg_free(con); + return 0; + } memset(host_buff,0,MAX_HOSTPORT_SIZE); From 6cf5380fc4d09f8488628951c42ff768eb164318 Mon Sep 17 00:00:00 2001 From: rdondeti Date: Sat, 28 Mar 2026 23:32:18 -0500 Subject: [PATCH 2/2] cachedb_cassandra: fix NULL deref when cass_cluster_new() returns NULL cass_cluster_new() can return NULL on allocation failure. The existing code has a NULL check, but it comes after cass_cluster_set_credentials() already uses the pointer (when credentials are configured), so a NULL return causes a crash before the check is reached. Move the NULL check to immediately after cass_cluster_new(), before any use of the returned pointer. Found during a systematic audit of cachedb backends following the cachedb_redis NULL-deref fix in commit 8fb569cb3. --- modules/cachedb_cassandra/cachedb_cassandra_dbase.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/cachedb_cassandra/cachedb_cassandra_dbase.c b/modules/cachedb_cassandra/cachedb_cassandra_dbase.c index 580fb470405..f50cd5b0627 100644 --- a/modules/cachedb_cassandra/cachedb_cassandra_dbase.c +++ b/modules/cachedb_cassandra/cachedb_cassandra_dbase.c @@ -141,13 +141,13 @@ int cassandra_reopen(cassandra_con *cass_con) int cassandra_new_connection(cassandra_con *con, char *host, int port, char *username, char *password) { con->cluster = cass_cluster_new(); - if (username && password) { - cass_cluster_set_credentials(con->cluster, username, password); - } if (!con->cluster) { LM_ERR("Failed to create Cassandra Cluster object\n"); return -1; } + if (username && password) { + cass_cluster_set_credentials(con->cluster, username, password); + } #if CASS_VERSION_MAJOR >= 2 && CASS_VERSION_MINOR >= 15 /* since version 2.15, DSE support is available in the standard driver