Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Potential Segmentation Violation/Fault in Snort-2.9.8.0 beta

From: "Costas Kleopa (ckleopa)" <ckleopa () cisco com>
Date: Tue, 1 Sep 2015 21:18:04 +0000
Thanks again. We will review all these and bug them if needed. 

Thanks,
Costas


On Sep 1, 2015, at 5:14 PM, Bill Parker <wp02855 () gmail com> wrote:

Hello All,

    In reviewing source code in Snort-2.9.8.0 beta, I found a pair
of calls to malloc() in directory 'src/dynamic-preprocessors/appid/detector_plugins',
file 'detector_http.c' which are not checked for a return value of
NULL, indicating failure.  Additionally, if memcpy() is called with
a address location pointing to NULL, a segmentation violation/fault
will occur, causing a program abort.  The patch file below should
correct/address this issue:

--- detector_http.c.orig        2015-09-01 14:01:47.685000000 -0700
+++ detector_http.c     2015-09-01 14:07:39.500000000 -0700
@@ -2218,6 +2218,13 @@
         if (version_len >= MAX_VERSION_SIZE)
             version_len = MAX_VERSION_SIZE - 1;
         *version = (char *)malloc(sizeof(char)*(version_len+1));
+       if (!*version) {
+           _dpd.errMsg("Failed to allocate memory for version in getServerVendorVersion()...");
+           free(tmp);
+           free(sub);
+           return;
+       }
+           
         memcpy(*version, ver, version_len);
         *(*version+version_len) = 0;
     }
@@ -2226,6 +2233,13 @@
     if (vendor_len >= MAX_VERSION_SIZE)
         vendor_len = MAX_VERSION_SIZE - 1;
     *vendor = (char *)malloc(sizeof(char)*(vendor_len+1));
+    if (!*vendor) {
+       _dpd.errMsg("Failed to allocate memory for vendor in getServerVendorVersion()...");
+       free(version);
+       free(tmp);
+       free(sub);
+       return;
+    }
     memcpy(*vendor, data, vendor_len);
     *(*vendor+vendor_len) = 0;
 }
 
 I am attaching the patch file to this bug report...m00000!
 
 Questions, Comments, Suggestions, Complaints? :)
 
 Bill Parker (wp02855 at gmail dot com)
<detector_http.c.patch>
------------------------------------------------------------------------------
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: