NULL Pointer Dereference in `set_driver_parameter()` via Unchecked `strstr()` Return

[HarutoKimura]

Summary

A NULL pointer dereference exists in the set_driver_parameter() function in server.c of the remote-debug-for-intel-fpga project. The SET_DRIVER_PARAM command handler calls strstr() to locate a delimiter in the input string but does not check the return value for NULL. When the expected delimiter is absent from the input, strstr() returns NULL, and subsequent pointer arithmetic and dereference on this NULL value causes a crash. A remote attacker can exploit this to deny service to all debug sessions.

---

Details

Root Cause

In server.c at approximately line 639, the function set_driver_parameter() processes SET_DRIVER_PARAM commands received from debug clients. It uses strstr() to find a delimiter (e.g., "=" or similar separator) within the parameter string to split the key from the value.

The return value of strstr() is used directly in subsequent pointer arithmetic without checking whether it is NULL. When a client sends a SET_DRIVER_PARAM command that does not contain the expected delimiter, strstr() returns NULL, and the code dereferences it, causing a segmentation fault.

Vulnerable Code Path

set_driver_parameter()
  -> receives SET_DRIVER_PARAM command string
  -> ptr = strstr(param_string, delimiter)   // returns NULL if delimiter missing
  -> *(ptr + offset) = ...                   // NULL dereference -> SIGSEGV

Impact

• Denial of Service (DoS): The server process crashes immediately upon receiving a malformed SET_DRIVER_PARAM command. This terminates all active debug sessions.
• Availability: Since the debug server typically runs as a single process handling all connections, a single malformed packet crashes the entire service.

---

Proof of Concept

The vulnerability can be reproduced by sending a SET_DRIVER_PARAM command without the expected delimiter character.

Steps

1. Build the remote-debug-for-intel-fpga server with AddressSanitizer:

   git clone https://github.com/altera-opensource/remote-debug-for-intel-fpga.git
   cd remote-debug-for-intel-fpga
   # Add -fsanitize=address -fno-omit-frame-pointer to CFLAGS in Makefile
   make

2. Start the debug server.

3. Send a SET_DRIVER_PARAM command with a parameter string that does not contain the expected delimiter (e.g., send "SET_DRIVER_PARAM param_without_delimiter" instead of "SET_DRIVER_PARAM key=value").

4. Observe the server crash:

   Segmentation fault (core dumped)
   

   With AddressSanitizer:

   ==PID==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
   The signal is caused by a READ memory access.
   Hint: address points to the zero page.
       #0 ... in set_driver_parameter server.c:639
   

---

Suggested Fix

Add a NULL check on the return value of strstr() before using the pointer:

// In set_driver_parameter():
char *delim_ptr = strstr(param_string, "=");
if (delim_ptr == NULL) {
    // Log error and reject the malformed command
    fprintf(stderr, "Error: SET_DRIVER_PARAM missing delimiter in: %s\n",
            param_string);
    return -1;  // or appropriate error handling
}
// Safe to use delim_ptr from here

I am happy to submit a pull request with this fix if preferred.

---

Credit

Discovered during independent security research by Haruto Kimura (Stella).

---

Timeline

Date	Event
2026-02-19	Vulnerability discovered during security research
2026-02-19	Confirmed via crash reproduction and AddressSanitizer
2026-02-25	Advisory filed with project maintainers via GitHub Security Advisory

---

References

• CWE-476: NULL Pointer Dereference
• CVSS v3.1 Calculator