[Snort-devel] [snort-devel] - additional error checking for calls in snort-2.9.7.0-alpha

Costas Kleopa (ckleopa) ckleopa at ...3461...
Fri Mar 14 13:26:35 EDT 2014


Bill,

Thanks for the updates. We will add this in our bugs for improvements.

Thanks
Costas


From: Bill Parker <wp02855 at ...2499...<mailto:wp02855 at ...2499...>>
Date: Thursday, March 13, 2014 at 5:20 PM
To: "snort-devel at lists.sourceforge.net<mailto:snort-devel at ...362....net>" <snort-devel at lists.sourceforge.net<mailto:snort-devel at ...2763...rge.net>>
Subject: [Snort-devel] [snort-devel] - additional error checking for calls in snort-2.9.7.0-alpha

Hi All,

   In reviewing code in Snort-2.9.7.0-alpha, I found some instances
where the library call to stat() was used, but without a check of
the return value being < 0, which would indicate failure.  The
patch file is below:

--- util.c.orig 2014-03-13 09:17:43.801561939 -0700
+++ util.c      2014-03-13 09:26:56.257776283 -0700
@@ -788,14 +788,16 @@
                        "system\n", _PATH_VARRUN);
 #endif  /* _PATH_VARRUN */

-            stat(_PATH_VARRUN, &pt);
+            if (stat(_PATH_VARRUN, &pt) == -1)
+               LogMessage("WARNING: Could not stat _PATH_VARRUN...\n");

             if(!S_ISDIR(pt.st_mode) || access(_PATH_VARRUN, W_OK) == -1)
             {
                 LogMessage("WARNING: _PATH_VARRUN is invalid, trying "
                            "/var/log/ ...\n");
                 SnortStrncpy(snort_conf->pid_path, "/var/log/", sizeof(snort_conf->pid_path));
-                stat(snort_conf->pid_path, &pt);
+                if (stat(snort_conf->pid_path, &pt) == -1)
+                   LogMessage("WARNING: Could not stat %s\n", snort_conf->pid_path);

                 if(!S_ISDIR(pt.st_mode) || access(snort_conf->pid_path, W_OK) == -1)
                 {

This patch file just outputs a WARNING via LogMessage, since additional
checks take care of any path/file issues later on.

In checking /tools/u2openappid, file 'u2openappid.c', I found an instance
where fseek() was called with no check for a return value of -1, indicating
failure.  The patch file below adds a simple warning message:

--- u2openappid.c.orig  2014-03-13 09:47:59.775362871 -0700
+++ u2openappid.c       2014-03-13 09:49:50.465431009 -0700
@@ -173,7 +173,10 @@

     if ( s_off )
     {
-        fseek(it->file, s_pos+s_off, SEEK_SET);
+        if (fseek(it->file, s_pos+s_off, SEEK_SET) == -1) {
+           puts("Unable to SEEK on current file .. and this is not being handled yet.");
+           return FAILURE;
+       }
         s_off = 0;
     }

In checking /tools/u2spewfoo, file 'u2spewfoo.c', I found an instance
where fseek() was called with no check for a return value of -1, indicating
failure.  The patch file below adds a simple warning message:

--- u2spewfoo.c.orig    2014-03-13 09:55:39.834834064 -0700
+++ u2spewfoo.c 2014-03-13 09:56:37.657182987 -0700
@@ -174,7 +174,10 @@

     if ( s_off )
     {
-        fseek(it->file, s_pos+s_off, SEEK_SET);
+        if (fseek(it->file, s_pos+s_off, SEEK_SET) == -1) {
+           puts("Unable to SEEK on current file .. and this is not being handled yet.");
+           return FAILURE;
+       }
         s_off = 0;
     }

In directory 'tools/file_server', file 'file_server.c', I found an
instance where listen() is called without a check of the return
value being < 0, which would indicate failure.  The patch file
below adds the check and a error message:

--- file_server.c.orig  2014-03-13 10:06:37.844463704 -0700
+++ file_server.c       2014-03-13 10:07:44.643953576 -0700
@@ -615,7 +615,12 @@
     //listen marks the socket as passive socket listening to incoming connections,
     //it allows max 5 backlog connections: backlog connections are pending in queue
     //if pending connections are more than 5, later request may be ignored
-    listen(sockfd,5);
+
+    if (listen(sockfd,5) < 0)
+    {
+       ErrorMessage("ERROR on listen.\n");
+       exit(1);
+    }

     while (!stop_processing)
     {

A 'make' results in a clean compile of the above patch files :)

I am attaching the patch file(s) to this email.

Bill Parker (wp02855 at gmail dot com)

m000000000000000000000000000000!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140314/cfc6cd6a/attachment.html>


More information about the Snort-devel mailing list