[Snort-devel] [PATCH] Potential NULL pointer dereference (CWE-476) in Snort-3.0.0-a4 (Build 191)

Russ rucombs at ...3461...
Thu Mar 10 17:27:57 EST 2016


Thanks Bill.  The TCP code for segment data is currently under rewrite 
but that will be fixed in the interim.

catch.hpp issues should be reported to https://github.com/philsquared/Catch.

On 3/10/16 4:05 PM, Bill Parker wrote:
> Hello All,
>
> In reviewing source code in snort-3.0.0-a4 (build 191), in directory
> 'src/stream/tcp', in file 'tcp_segment_node.cc', in function 
> TcpSegmentNode::init()'
> there is a call to malloc() which is not checked for a return value of 
> NULL,
> indicating failure.  However, two statements below the return value from
> the malloc() call is used as the destination address in a memcpy() call.
>
> If the destination value for memcpy() is NULL, a segmentation 
> violation/fault
> will be generated.  The patch file below should address/correct this 
> issue:
>
> --- tcp_segment_node.cc.orig    2016-03-10 08:30:06.609568248 -0800
> +++ tcp_segment_node.cc 2016-03-10 08:32:09.918240146 -0800
> @@ -63,6 +63,10 @@
>      }
>      ss->data = ( uint8_t* )malloc(dsize);
> +    if (!ss->data) {
> +       delete ss;
> +       return nullptr;
> +    }
>      ss->payload = ss->data;
>      ss->tv = tv;
>      memcpy(ss->payload, data, dsize);
> =======================================================================
>
> Subj: Missing Sanity Check for malloc() in Snort-3.0.0-a4 Build 191
>
> There appears to be a missing sanity check for malloc in directory
> 'src/catch', file 'catch.hpp' as the code segment below shows:
>
>     inline size_t registerTestMethods() {
>         size_t noTestMethods = 0;
>         int noClasses = objc_getClassList( CATCH_NULL, 0 );
>
>         Class* classes = (CATCH_UNSAFE_UNRETAINED Class *)malloc( 
> sizeof(Class) * noClasses);
>         objc_getClassList( classes, noClasses );
>
> =======================================================================
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20160310/7a5a7a2b/attachment.html>


More information about the Snort-devel mailing list