Snort mailing list archives

Missing Sanity Check for sflist_new() in port_table.cc (Snort-3.0.0-a2 (build 172)

From: Bill Parker <wp02855 () gmail com>
Date: Mon, 19 Oct 2015 09:52:35 -0700

Hello All,

In reviewing source code in Snort-3.0.0 alpha 2 (Build 172), in
sub-directory 'src/ports', file 'port_table.cc', in function
'PortTableCompileMergePortObjects()', at line 633, there is a call
to sflist_new() like this:

plx_list = sflist_new();
sflist_init(plx_list);
p->pt_plx_list = plx_list;

without any check for a return value of NULL from sflist_new(), which
could cause other issues, if plx_iist is NULL.

Should the ErrorMessage in the patch be replaced by FatalError?

The patch file below should address/correct this issue:

--- port_table.cc.orig  2015-10-18 14:37:21.264314596 -0700
+++ port_table.cc       2015-10-18 14:42:20.700371379 -0700
@@ -631,6 +631,12 @@
         "***\n*** PortList-Merging, Large Rule groups must have %d
rules\n",p->pt_lrc);

     plx_list = sflist_new();
+    if (plx_list == NULL)
+    {
+       ErrorMessage("Could not allocate new list for port objects\n");
+       return -1;  /*  is plx_list released anywhere in this function? */
+    }
+
     sflist_init(plx_list);

     p->pt_plx_list = plx_list;


=======================================================================

In sub-directory 'src/test', file 'catch.hpp', there is a call to
malloc() which is NOT checked for a return value of NULL, indicating
failure.  However, according to the comments at the top of this file:

/*
 *  Catch v1.2.1
 *  Generated: 2015-06-30 18:23:27.961086
 *  ----------------------------------------------------------
 *  This file has been merged from multiple headers. Please don't edit it
directly
 *  Copyright (c) 2012 Two Blue Cubes Ltd. All rights reserved.
 *
 *  Distributed under the Boost Software License, Version 1.0. (See
accompanying
 *  file LICENSE_1_0.txt or copy at http://www.boost.org/LICENSE_1_0.txt)
 */

This occurs at line 2659, the source code is below:

    inline size_t registerTestMethods() {
        size_t noTestMethods = 0;
        int noClasses = objc_getClassList( NULL, 0 );

        Class* classes = (CATCH_UNSAFE_UNRETAINED Class *)malloc(
sizeof(Class) * noClasses);
        objc_getClassList( classes, noClasses );   <---- this could go
KABOOM, could it not?

        for( int c = 0; c < noClasses; c++ ) {
=======================================================================

I am attaching the patch file to this bug report...

Bill Parker (wp02855 at gmail dot com)

Attachment: port_table.cc.patch
Description:

------------------------------------------------------------------------------

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Missing Sanity Check for sflist_new() in port_table.cc (Snort-3.0.0-a2 (build 172) Bill Parker (Oct 19)
- <Possible follow-ups>
- Re: Missing Sanity Check for sflist_new() in port_table.cc (Snort-3.0.0-a2 (build 172) Joel Cornett (jocornet) (Nov 04)