[Snort-devel] Missing Sanity Check for sflist_new() in port_table.cc (Snort-3.0.0-a2 (build 172)

Joel Cornett (jocornet) jocornet at ...3461...
Wed Nov 4 09:50:18 EST 2015


>
>In reviewing source code in Snort-3.0.0 alpha 2 (Build 172), in
>sub-directory 'src/ports', file 'port_table.cc', in function
>'PortTableCompileMergePortObjects()', at line 633, there is a call
>to sflist_new() like this:
>
>plx_list = sflist_new();
>sflist_init(plx_list);
>p->pt_plx_list = plx_list;
>
>without any check for a return value of NULL from sflist_new(), which
>could cause other issues, if plx_iist is NULL.

Thanks Bill, for pointing that out. There's no need for an additional
error message here,

but we will add a check for nullptr.

>
>=======================================================================
>
>In sub-directory 'src/test', file 'catch.hpp', there is a call to
>malloc() which is NOT checked for a return value of NULL, indicating
>failure.  However, according to the comments at the top of this file:
>
>/*
> *  Catch v1.2.1
> *  Generated: 2015-06-30 18:23:27.961086
> *  ----------------------------------------------------------
> *  This file has been merged from multiple headers. Please don't edit it
>directly
> *  Copyright (c) 2012 Two Blue Cubes Ltd. All rights reserved.
> *
> *  Distributed under the Boost Software License, Version 1.0. (See
>accompanying
> *  file LICENSE_1_0.txt or copy at http://www.boost.org/LICENSE_1_0.txt)
> */
>
>This occurs at line 2659, the source code is below:
>
>    inline size_t registerTestMethods() {
>        size_t noTestMethods = 0;
>        int noClasses = objc_getClassList( NULL, 0 );
>
>        Class* classes = (CATCH_UNSAFE_UNRETAINED Class *)malloc(
>sizeof(Class) * noClasses);
>        objc_getClassList( classes, noClasses );   <---- this could go
>KABOOM, could it not?
>
>        for( int c = 0; c < noClasses; c++ ) {

catch.hpp is a 3rd party header. If you find any bugs here, you can direct
them to the
github page for catch. That being said, this code will never be executed,
since this
entire block is wrapped in an "#ifdef __OBJ_C__".

Best,

Joel Cornett, Software Engineer, Cisco





More information about the Snort-devel mailing list