Snort mailing list archives
Re: [PATCH] Potential NULL pointer dereference (CWE-476) in Snort-3.0.0-a4 (Build 191)
From: Russ <rucombs () cisco com>
Date: Thu, 10 Mar 2016 17:27:57 -0500
Thanks Bill. The TCP code for segment data is currently under rewrite but that will be fixed in the interim.
catch.hpp issues should be reported to https://github.com/philsquared/Catch. On 3/10/16 4:05 PM, Bill Parker wrote:
Hello All, In reviewing source code in snort-3.0.0-a4 (build 191), in directory'src/stream/tcp', in file 'tcp_segment_node.cc', in function TcpSegmentNode::init()' there is a call to malloc() which is not checked for a return value of NULL,indicating failure. However, two statements below the return value from the malloc() call is used as the destination address in a memcpy() call.If the destination value for memcpy() is NULL, a segmentation violation/fault will be generated. The patch file below should address/correct this issue:--- tcp_segment_node.cc.orig 2016-03-10 08:30:06.609568248 -0800 +++ tcp_segment_node.cc 2016-03-10 08:32:09.918240146 -0800 @@ -63,6 +63,10 @@ } ss->data = ( uint8_t* )malloc(dsize); + if (!ss->data) { + delete ss; + return nullptr; + } ss->payload = ss->data; ss->tv = tv; memcpy(ss->payload, data, dsize); ======================================================================= Subj: Missing Sanity Check for malloc() in Snort-3.0.0-a4 Build 191 There appears to be a missing sanity check for malloc in directory 'src/catch', file 'catch.hpp' as the code segment below shows: inline size_t registerTestMethods() { size_t noTestMethods = 0; int noClasses = objc_getClassList( CATCH_NULL, 0 );Class* classes = (CATCH_UNSAFE_UNRETAINED Class *)malloc( sizeof(Class) * noClasses);objc_getClassList( classes, noClasses ); ======================================================================= ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140 _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- [PATCH] Potential NULL pointer dereference (CWE-476) in Snort-3.0.0-a4 (Build 191) Bill Parker (Mar 10)
- Re: [PATCH] Potential NULL pointer dereference (CWE-476) in Snort-3.0.0-a4 (Build 191) Russ (Mar 10)