[Snort-devel] Potential NULL pointer dereference in Snort-3.0.0a3/a4 (CWE-476)

Bill Parker wp02855 at ...2499...
Thu Feb 4 16:43:20 EST 2016


In reviewing code in Snort-3.0.0a4, in directory
'src/service_inspectors/ftp_telnet',
function ProcessFTPCmdValidity(), there is a potential for a NULL pointer
dereference when strncpy() is called, if variable 'fmt' is undefined or set
to NULL, it will generate a segmentation violation/fault.

<reference CWE-476: NULL Pointer Dereference>

A NULL pointer dereference occurs when the application dereferences
a pointer that it expects to be valid, but is NULL, typically causing
a crash or exit.

The patch file below adds an additional check before strncpy() is
called to guard against this issue:

--- ftp_parse.cc.orig   2016-02-04 10:23:06.762214048 -0800
+++ ftp_parse.cc        2016-02-04 10:27:22.333695869 -0800
@@ -674,6 +674,13 @@
     FTP_PARAM_FMT* HeadFmt = NULL;

     char buf[1024];
+    if (!fmt)
+    {
+       snprintf(ErrorString, ErrStrLen,
+           "cmd format is NULL.");
+
+       return FTPP_FATAL_ERR;
+    }
     strncpy(buf, fmt, sizeof(buf));
     buf[sizeof(buf)-1] = '\0';


=======================================================================

I am attaching this patch file to this bug report...

Bill Parker (wp02855 at gmail dot com)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20160204/a93a81d4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ftp_parse.cc.patch
Type: application/octet-stream
Size: 396 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20160204/a93a81d4/attachment.obj>


More information about the Snort-devel mailing list