[Snort-devel] [PATCH] Potential NULL pointer dereference (CWE-476) in Snort-3.0.0-a4 (Build 191)

Bill Parker wp02855 at ...2499...
Thu Mar 10 16:05:27 EST 2016

Hello All,

In reviewing source code in snort-3.0.0-a4 (build 191), in directory
'src/stream/tcp', in file 'tcp_segment_node.cc', in function
there is a call to malloc() which is not checked for a return value of NULL,
indicating failure.  However, two statements below the return value from
the malloc() call is used as the destination address in a memcpy() call.

If the destination value for memcpy() is NULL, a segmentation
will be generated.  The patch file below should address/correct this issue:

--- tcp_segment_node.cc.orig    2016-03-10 08:30:06.609568248 -0800
+++ tcp_segment_node.cc 2016-03-10 08:32:09.918240146 -0800
@@ -63,6 +63,10 @@

     ss->data = ( uint8_t* )malloc(dsize);
+    if (!ss->data) {
+       delete ss;
+       return nullptr;
+    }
     ss->payload = ss->data;
     ss->tv = tv;
     memcpy(ss->payload, data, dsize);


Subj: Missing Sanity Check for malloc() in Snort-3.0.0-a4 Build 191

There appears to be a missing sanity check for malloc in directory
'src/catch', file 'catch.hpp' as the code segment below shows:

    inline size_t registerTestMethods() {
        size_t noTestMethods = 0;
        int noClasses = objc_getClassList( CATCH_NULL, 0 );

        Class* classes = (CATCH_UNSAFE_UNRETAINED Class *)malloc(
sizeof(Class) * noClasses);
        objc_getClassList( classes, noClasses );

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20160310/ef0f2fc1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tcp_segment_node.cc.patch
Type: application/octet-stream
Size: 342 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20160310/ef0f2fc1/attachment.obj>

More information about the Snort-devel mailing list