[Snort-devel] Possible memory leak in service_ssl.c for snort-2.9.7.x and Snort++?

Bill Parker wp02855 at ...2499...
Thu Mar 19 17:47:56 EDT 2015

Hello All,

    In reviewing code in '/src/dynamic-preprocessors/appid/service_plugins'
file 'service_ssl.c', I found a call to malloc() while checked for a return
value of NULL, a return SERVICE_ENOMEM; executed immediately upon failure,
but variable 'ss' was previously assigned memory by a call to calloc() at
line 629 in function 'MakeRNAServiceValidationPrototype', should it not
be released prior to the return SERVICE_ENOMEM;?  The patch file below
corrects this issue:

--- service_ssl.c.orig  2015-03-19 10:09:57.358608756 -0700
+++ service_ssl.c       2015-03-19 10:16:01.295863310 -0700
@@ -762,8 +762,10 @@
                         certs_rec = (ServiceSSLV3CertsRecord *)data;
                         ss->certs_len = ntoh3(certs_rec->certs_len);
                         ss->certs_data = malloc(ss->certs_len);
-                        if (!ss->certs_data)
+                        if (!ss->certs_data) {
+                            free(ss);
                             return SERVICE_ENOMEM;
+                       }
                         if ((size - sizeof(ServiceSSLV3CertsRecord)) <
                             /* Will have to get more next time around. */

I am attaching the patch file to this possible bug report.

Bill Parker (wp02855 at gmail dot com)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150319/7ea7267f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: service_ssl.c.patch
Type: application/octet-stream
Size: 698 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150319/7ea7267f/attachment.obj>

More information about the Snort-devel mailing list