[Snort-devel] Lack of Sanity Check for call to malloc()

Bill Parker wp02855 at ...2499...
Sat Jul 20 16:13:55 EDT 2013


Hello All,

In 'snort-2.9.5/src/preprocessors/HttpInspect/utils', file
'hi_paf.c', I found a call to malloc() without a check for a
return value of NULL, indicating failure.  The patch file
below adds this test:

--- hi_paf.c.orig       2013-07-19 17:20:14.860817849 -0700
+++ hi_paf.c    2013-07-19 17:24:00.310814409 -0700
@@ -552,6 +552,12 @@
     }
     hi_fsm_size = max + extra;
     hi_fsm = malloc(hi_fsm_size*sizeof(*hi_fsm));
+    if (hi_fsm == NULL)
+    {
+       printf("Unable to allocate memory for hi_fsm...\n");
+       return false;
+    }
+
     next = max;

     for ( i = 0; i < hi_fsm_size; i++ )

In 'snort-2.9.5/src', file 'log.c', I found a check for
the return value from calloc() but the call to calloc() in
function 'PrintCharData' is currently commented out as
shown below:

    /* allocate a buffer to print the data to */
    //data_dump_buffer = (char *) calloc(data_len + (data_len >> 6) + 2,
sizeof(char));
    if (data_dump_buffer == NULL)
    {
        AllocDumpBuf();
    }

    size = (data_len + (data_len >> 6) + 2) * sizeof(char);
Should the variable 'data_dump_buffer' be uncommented, since
data_dump_buffer is accessed later in the function?

In 'snort-2.9.5/src/detection-plugins', file 'sp_ip_proto.c',
I found a check for the return value from calloc(), but the call
to calloc() in function 'IpProtoInit' is currently commented out
as shown below:

    ipd = (IpProtoData *) SnortAlloc(sizeof(IpProtoData));

    /* allocate the data structure and attach it to the
       rule's data struct list */
    //otn->ds_list[PLUGIN_IP_PROTO_CHECK] = (IpProtoData *)
calloc(sizeof(IpProtoData), sizeof(char));

    /* this is where the keyword arguments are processed and placed into the
       rule option's data structure */
    IpProtoRuleParseFunction(data, ipd);
Should the variable 'otn->ds_list[PLUGIN_IP_PROTO_CHECK]'
be uncommented, since data_dump_buffer is accessed later
in the function?

I'm attaching the patch file to this email.

Bill (wp02855 at gmail dot com)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130720/ee3b258c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hi_paf.c.patch
Type: application/octet-stream
Size: 386 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130720/ee3b258c/attachment.obj>


More information about the Snort-devel mailing list