[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-devel
Subject: Re: [Snort-devel] [PATCH] Potential NULL pointer dereference (CWE-476) in Snort-3.0.0-a4 (Build 191)
From: Russ <rucombs () cisco ! com>
Date: 2016-03-10 22:27:57
Message-ID: 56E1F4ED.2090805 () cisco ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks Bill. The TCP code for segment data is currently under rewrite
but that will be fixed in the interim.
catch.hpp issues should be reported to https://github.com/philsquared/Catch.
On 3/10/16 4:05 PM, Bill Parker wrote:
> Hello All,
>
> In reviewing source code in snort-3.0.0-a4 (build 191), in directory
> 'src/stream/tcp', in file 'tcp_segment_node.cc', in function
> TcpSegmentNode::init()'
> there is a call to malloc() which is not checked for a return value of
> NULL,
> indicating failure. However, two statements below the return value from
> the malloc() call is used as the destination address in a memcpy() call.
>
> If the destination value for memcpy() is NULL, a segmentation
> violation/fault
> will be generated. The patch file below should address/correct this
> issue:
>
> --- tcp_segment_node.cc.orig 2016-03-10 08:30:06.609568248 -0800
> +++ tcp_segment_node.cc 2016-03-10 08:32:09.918240146 -0800
> @@ -63,6 +63,10 @@
> }
> ss->data = ( uint8_t* )malloc(dsize);
> + if (!ss->data) {
> + delete ss;
> + return nullptr;
> + }
> ss->payload = ss->data;
> ss->tv = tv;
> memcpy(ss->payload, data, dsize);
> =======================================================================
>
> Subj: Missing Sanity Check for malloc() in Snort-3.0.0-a4 Build 191
>
> There appears to be a missing sanity check for malloc in directory
> 'src/catch', file 'catch.hpp' as the code segment below shows:
>
> inline size_t registerTestMethods() {
> size_t noTestMethods = 0;
> int noClasses = objc_getClassList( CATCH_NULL, 0 );
>
> Class* classes = (CATCH_UNSAFE_UNRETAINED Class *)malloc(
> sizeof(Class) * noClasses);
> objc_getClassList( classes, noClasses );
>
> =======================================================================
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
[Attachment #5 (text/html)]
<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Thanks Bill. The TCP code for segment data is currently under
rewrite but that will be fixed in the interim.<br>
<br>
catch.hpp issues should be reported to
<a class="moz-txt-link-freetext" \
href="https://github.com/philsquared/Catch">https://github.com/philsquared/Catch</a>.<br>
<br>
<div class="moz-cite-prefix">On 3/10/16 4:05 PM, Bill Parker wrote:<br>
</div>
<blockquote
cite="mid:CAFrbyQwFX8TXw0kSBP7QVW+ieEOZdJpO2E6xEWTLAzJWY8tBug@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div dir="ltr">
<div>Hello All,</div>
<div><br>
</div>
<div><span class="" style="white-space:pre"> </span>In reviewing
source code in snort-3.0.0-a4 (build 191), in directory</div>
<div>'src/stream/tcp', in file 'tcp_segment_node.cc', in
function TcpSegmentNode::init()'</div>
<div>there is a call to malloc() which is not checked for a
return value of NULL,</div>
<div>indicating failure. However, two statements below the
return value from</div>
<div>the malloc() call is used as the destination address in a
memcpy() call.</div>
<div><br>
</div>
<div>If the destination value for memcpy() is NULL, a
segmentation violation/fault</div>
<div>will be generated. The patch file below should
address/correct this issue:</div>
<div><br>
</div>
<div>--- tcp_segment_node.cc.orig 2016-03-10
08:30:06.609568248 -0800</div>
<div>+++ tcp_segment_node.cc 2016-03-10 08:32:09.918240146 -0800</div>
<div>@@ -63,6 +63,10 @@</div>
<div> }</div>
<div> </div>
<div> ss->data = ( uint8_t* )malloc(dsize);</div>
<div>+ if (!ss->data) {</div>
<div>+ delete ss;</div>
<div>+ return nullptr;</div>
<div>+ }</div>
<div> ss->payload = ss->data;</div>
<div> ss->tv = tv;</div>
<div> memcpy(ss->payload, data, dsize);</div>
<div><span class="" style="white-space:pre"> </span> </div>
<div>=======================================================================</div>
<div><br>
</div>
<div>Subj: Missing Sanity Check for malloc() in Snort-3.0.0-a4
Build 191</div>
<div><br>
</div>
<div>There appears to be a missing sanity check for malloc in
directory</div>
<div>'src/catch', file 'catch.hpp' as the code segment below
shows:</div>
<div><br>
</div>
<div> inline size_t registerTestMethods() {</div>
<div> size_t noTestMethods = 0;</div>
<div> int noClasses = objc_getClassList( CATCH_NULL, 0 );</div>
<div><br>
</div>
<div> Class* classes = (CATCH_UNSAFE_UNRETAINED Class
*)malloc( sizeof(Class) * noClasses);</div>
<div> objc_getClassList( classes, noClasses );</div>
<div><br>
</div>
<div>=======================================================================</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
<a class="moz-txt-link-freetext" \
href="http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140">http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140</a></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Snort-devel mailing list
<a class="moz-txt-link-abbreviated" \
href="mailto:Snort-devel@lists.sourceforge.net">Snort-devel@lists.sourceforge.net</a> \
<a class="moz-txt-link-freetext" \
href="https://lists.sourceforge.net/lists/listinfo/snort-devel">https://lists.sourceforge.net/lists/listinfo/snort-devel</a>
Archive:
<a class="moz-txt-link-freetext" \
href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel</a>
Please visit <a class="moz-txt-link-freetext" \
href="http://blog.snort.org">http://blog.snort.org</a> for the latest news about \
Snort!</pre> </blockquote>
<br>
</body>
</html>
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic