fix bug UAF (#5720)

* fix bug UAF

Signed-off-by: suifengersan123 <[email protected]>

* fix linting problems Signed-off-by: suifengersan123 <[email protected]>

Signed-off-by: suifengersan123 <[email protected]>

* fix linting problems Signed-off-by: suifengersan123 <[email protected]>

Signed-off-by: suifengersan123 <[email protected]>

* fix linting problems Signed-off-by: suifengersan123 <[email protected]>

Signed-off-by: suifengersan123 <[email protected]>

* fix linting problems Signed-off-by: suifengersan123 <[email protected]>

Signed-off-by: suifengersan123 <[email protected]>

* fix linting problems Signed-off-by: suifengersan123 <[email protected]>

Signed-off-by: suifengersan123 <[email protected]>

* fix linting problems Signed-off-by: suifengersan123 <[email protected]>

Signed-off-by: suifengersan123 <[email protected]>

* fix linting problems

Signed-off-by: suifengersan123 <[email protected]>

* fix linting problems

Signed-off-by: suifengersan123 <[email protected]>

* add test

Signed-off-by: suifengersan123 <[email protected]>

* fix errors

Signed-off-by: suifengersan123 <[email protected]>

---------

Signed-off-by: suifengersan123 <[email protected]>
Co-authored-by: 随风而散 <[email protected]>

Author: suifengersan123

nav2_dwb_controller/dwb_plugins/include/dwb_plugins/kinematic_parameters.hpp

@@ -39,7 +39,7 @@
 #include <memory>
 #include <string>
 #include <vector>
-
+#include <stdexcept>
 #include "nav2_ros_common/lifecycle_node.hpp"
 #include "rclcpp/rclcpp.hpp"
 
@@ -145,7 +145,14 @@ class KinematicsHandler
   void activate();
   void deactivate();
 
-  inline KinematicParameters getKinematics() {return *kinematics_.load();}
+  inline KinematicParameters getKinematics()
+  {
+    KinematicParameters * ptr = kinematics_.load();
+    if (ptr == nullptr) {
+      throw std::runtime_error("Can't call KinematicsHandler::getKinematics().");
+    }
+    return *ptr;
+  }
 
   void setSpeedLimit(const double & speed_limit, const bool & percentage);
 

nav2_dwb_controller/dwb_plugins/src/kinematic_parameters.cpp

@@ -33,7 +33,7 @@
  */
 
 #include "dwb_plugins/kinematic_parameters.hpp"
-
+#include <atomic>
 #include <memory>
 #include <string>
 #include <vector>
@@ -55,7 +55,10 @@ KinematicsHandler::KinematicsHandler()
 
 KinematicsHandler::~KinematicsHandler()
 {
-  delete kinematics_.load();
+  KinematicParameters * ptr = kinematics_.load();
+  if (ptr != nullptr) {
+    delete ptr;
+  }
 }
 
 void KinematicsHandler::initialize(
@@ -151,7 +154,11 @@ void KinematicsHandler::deactivate()
 void KinematicsHandler::setSpeedLimit(
   const double & speed_limit, const bool & percentage)
 {
-  KinematicParameters kinematics(*kinematics_.load());
+  KinematicParameters * ptr = kinematics_.load();
+  if (ptr == nullptr) {
+    return;   // Nothing to update
+  }
+  KinematicParameters kinematics(*ptr);
 
   if (speed_limit == nav2_costmap_2d::NO_SPEED_LIMIT) {
     // Restore default value
@@ -232,7 +239,11 @@ void
 KinematicsHandler::updateParametersCallback(const std::vector<rclcpp::Parameter> & parameters)
 {
   rcl_interfaces::msg::SetParametersResult result;
-  KinematicParameters kinematics(*kinematics_.load());
+  KinematicParameters * ptr = kinematics_.load();
+  if (ptr == nullptr) {
+    return;   // Nothing to update
+  }
+  KinematicParameters kinematics(*ptr);
 
   for (const auto & parameter : parameters) {
     const auto & param_type = parameter.get_type();
@@ -284,8 +295,11 @@ KinematicsHandler::updateParametersCallback(const std::vector<rclcpp::Parameter>
 
 void KinematicsHandler::update_kinematics(KinematicParameters kinematics)
 {
-  delete kinematics_.load();
-  kinematics_.store(new KinematicParameters(kinematics));
+  KinematicParameters * new_kinematics = new KinematicParameters(kinematics);
+  KinematicParameters * old_kinematics = kinematics_.exchange(new_kinematics);
+  if (old_kinematics != nullptr) {
+    delete old_kinematics;
+  }
 }
 
 }  // namespace dwb_plugins

nav2_dwb_controller/dwb_plugins/test/kinematic_parameters_test.cpp

@@ -128,6 +128,114 @@ TEST(KinematicParameters, SetAllParameters) {
   EXPECT_EQ(kp.getAccX(), 56.78);
 }
 
+// Test null pointer handling in setSpeedLimit
+TEST(KinematicParameters, SetSpeedLimitNullPointerHandling) {
+  class TestableKinematicsHandler : public dwb_plugins::KinematicsHandler
+  {
+public:
+    void simulateNullKinematics()
+    {
+      // Temporarily set kinematics_ to null to test null pointer handling
+      dwb_plugins::KinematicParameters * old_ptr = kinematics_.exchange(nullptr);
+      delete old_ptr;
+    }
+
+    void restoreKinematics()
+    {
+      // Restore a valid kinematics pointer
+      kinematics_.store(new dwb_plugins::KinematicParameters);
+    }
+  };
+
+  std::string nodeName = "test_node_null";
+  auto node = std::make_shared<nav2::LifecycleNode>(nodeName);
+  TestableKinematicsHandler kh;
+  kh.initialize(node, nodeName);
+  kh.activate();
+
+  // Simulate null pointer scenario
+  kh.simulateNullKinematics();
+
+  // This should not crash - it should handle the null pointer gracefully
+  EXPECT_NO_THROW(kh.setSpeedLimit(10.0, true));
+  EXPECT_NO_THROW(kh.setSpeedLimit(5.0, false));
+
+  // Restore for cleanup
+  kh.restoreKinematics();
+}
+
+// Test null pointer handling in updateParametersCallback
+TEST(KinematicParameters, UpdateParametersNullPointerHandling) {
+  class TestableKinematicsHandler : public dwb_plugins::KinematicsHandler
+  {
+public:
+    void simulateNullKinematics()
+    {
+      // Temporarily set kinematics_ to null to test null pointer handling
+      dwb_plugins::KinematicParameters * old_ptr = kinematics_.exchange(nullptr);
+      delete old_ptr;
+    }
+
+    void restoreKinematics()
+    {
+      // Restore a valid kinematics pointer
+      kinematics_.store(new dwb_plugins::KinematicParameters);
+    }
+
+    // Expose protected method for testing
+    void testUpdateParametersCallback(std::vector<rclcpp::Parameter> params)
+    {
+      updateParametersCallback(params);
+    }
+  };
+
+  std::string nodeName = "test_node_update_null";
+  auto node = std::make_shared<nav2::LifecycleNode>(nodeName);
+  TestableKinematicsHandler kh;
+  kh.initialize(node, nodeName);
+  kh.activate();
+
+  // Simulate null pointer scenario
+  kh.simulateNullKinematics();
+
+  // Create test parameters
+  std::vector<rclcpp::Parameter> test_params = {
+    rclcpp::Parameter(nodeName + ".max_vel_x", 10.0),
+    rclcpp::Parameter(nodeName + ".max_vel_y", 20.0)
+  };
+
+  // This should not crash - it should handle the null pointer gracefully
+  EXPECT_NO_THROW(kh.testUpdateParametersCallback(test_params));
+
+  // Restore for cleanup
+  kh.restoreKinematics();
+}
+
+// Test getKinematics throws exception when pointer is null
+TEST(KinematicParameters, GetKinematicsNullPointerHandling) {
+  class TestableKinematicsHandler : public dwb_plugins::KinematicsHandler
+  {
+public:
+    void simulateNullKinematics()
+    {
+      // Temporarily set kinematics_ to null
+      dwb_plugins::KinematicParameters * old_ptr = kinematics_.exchange(nullptr);
+      delete old_ptr;
+    }
+  };
+
+  std::string nodeName = "test_node_get_null";
+  auto node = std::make_shared<nav2::LifecycleNode>(nodeName);
+  TestableKinematicsHandler kh;
+  kh.initialize(node, nodeName);
+
+  // Simulate null pointer scenario
+  kh.simulateNullKinematics();
+
+  // getKinematics should throw when pointer is null
+  EXPECT_THROW(kh.getKinematics(), std::runtime_error);
+}
+
 
 int main(int argc, char ** argv)
 {