From a02a4594f4b44c8bc9ae2a8c22ba802e0aa7523f Mon Sep 17 00:00:00 2001
From: Julian Brost <julian.brost@icinga.com>
Date: Wed, 8 Oct 2025 10:04:52 +0200
Subject: [PATCH] DerefExpression: Add missing nullptr check

Due to this missing check, evaluating a DSL expression can result in a null
dereference, crashing the Icinga 2 process. Given that API users can also
provide DSL expression as filters, this can be triggered over the network as
well.

This issue was assigned CVE-2025-61908.
---
 lib/config/expression.cpp | 4 ++++
 test/config-ops.cpp       | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/lib/config/expression.cpp b/lib/config/expression.cpp
index bec121ec3..ddc66ac6f 100644
--- a/lib/config/expression.cpp
+++ b/lib/config/expression.cpp
@@ -185,6 +185,10 @@ bool DerefExpression::GetReference(ScriptFrame& frame, bool init_dict, Value *pa
 
 	Reference::Ptr ref = operand.GetValue();
 
+	if (!ref) {
+		BOOST_THROW_EXCEPTION(ScriptError("Invalid reference specified.", GetDebugInfo()));
+	}
+
 	*parent = ref->GetParent();
 	*index = ref->GetIndex();
 	return true;
diff --git a/test/config-ops.cpp b/test/config-ops.cpp
index dfbef2530..50064c358 100644
--- a/test/config-ops.cpp
+++ b/test/config-ops.cpp
@@ -241,6 +241,10 @@ BOOST_AUTO_TEST_CASE(advanced)
 	expr = ConfigCompiler::CompileText("<test>", "{{ 3 }}");
 	func = expr->Evaluate(frame).GetValue();
 	BOOST_CHECK(func->Invoke() == 3);
+
+	// Regression test for CVE-2025-61908
+	expr = ConfigCompiler::CompileText("<test>", "&*null");
+	BOOST_CHECK_THROW(expr->Evaluate(frame).GetValue(), ScriptError);
 }
 
 BOOST_AUTO_TEST_SUITE_END()