[Snort-devel] Missing sanity checks in Snort-2.9.7.0-alpha in appid code.

Bill Parker wp02855 at ...2499...
Mon Mar 10 13:33:36 EDT 2014


Hi All,

   Found a pair of minor boo-boo's in Snort-2.9.7.0 (alpha) in
the area of missing sanity checks for malloc() and calloc().

In "src/dynamic-preprocessors/appid" file 'fw_appid.c' in which
'malloc()' is referenced without a corresponding check for NULL,
indicating failure.  The patch file below (attached to this email
adds the necessary check:

--- fw_appid.c.orig     2014-03-09 17:02:32.881416925 -0700
+++ fw_appid.c  2014-03-09 17:12:13.843254187 -0700
@@ -757,6 +757,10 @@
             if (headers->url.start)
             {
                 session->url = malloc(sizeof("http://") +
headers->host.len + headers->url.len);
+               if (session->url == NULL) { /* oops, malloc() failed */
+                   _dpd.errMsg("Failed to allocate session->url memory.");
+                   return;
+               }
                 strcpy(session->url, "http://");
                 strncat(session->url, (char *)headers->host.start,
headers->host.len);
                 strncat(session->url, (char *)headers->url.start,
headers->url.len);

I also found a missing sanity check for calloc() in
"src/dynamic-preprocessors/appid/util" file 'sfxhash.c',
the necessary check for the return value for calloc() is in the
patch file listed below:

diff -u sfxhash.c.orig sfxhash.c
--- sfxhash.c.orig      2014-03-09 17:46:37.170492469 -0700
+++ sfxhash.c   2014-03-09 17:47:58.657849093 -0700
@@ -1436,6 +1436,11 @@
         num = atoi(argv[1]);
     }
     strkey = strarray = calloc(num, 20);
+    if (strarray == NULL)
+    {
+       printf("Unable to allocate memory...exiting!\n");
+       exit(0);
+    }

     if( argc > 2 )
     {


A 'make' of snort-2.9.7.0-alpha results in a clean compile of
the above patch files.

I am attaching the patch files to this email.

Bill Parker (wp02855 at gmail dot com)

m000000000000000!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140310/a62c0086/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sfxhash.c.patch
Type: application/octet-stream
Size: 340 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140310/a62c0086/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fw_appid.c.patch
Type: application/octet-stream
Size: 645 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140310/a62c0086/attachment-0001.obj>


More information about the Snort-devel mailing list