fixed the memory leaks and buffer overflows reported by parfait

16 years ago · cf2d254cc6
parent 27d1dbc342
commit cf2d254cc6
10 changed files with 50 additions and 24 deletions
--- a/src/alert-unified-alert.c
+++ b/src/alert-unified-alert.c
@ -429,12 +429,11 @@ static int AlertUnifiedAlertTestRotate01(void)

    memset(&tv, 0, sizeof(ThreadVars));

-    if (lf == NULL)
-        return 0;
-
    ret = AlertUnifiedAlertThreadInit(&tv, oc, &data);
    if (ret == TM_ECODE_FAILED) {
        LogFileFreeCtx(lf);
+        if (filename != NULL)
+            free(filename);
        return 0;
    }

@ -452,6 +451,7 @@ static int AlertUnifiedAlertTestRotate01(void)
 error:
    AlertUnifiedAlertThreadDeinit(&tv, data);
    if (oc != NULL) AlertUnifiedAlertDeInitCtx(oc);
+    if (filename != NULL) free(filename);
    return r;
 }
 #endif /* UNITTESTS */
--- a/src/alert-unified-log.c
+++ b/src/alert-unified-log.c
@ -449,12 +449,11 @@ static int AlertUnifiedLogTestRotate01(void)

    memset(&tv, 0, sizeof(ThreadVars));

-    if (lf == NULL)
-        return 0;
-
    ret = AlertUnifiedLogThreadInit(&tv, oc, &data);
    if (ret == TM_ECODE_FAILED) {
        LogFileFreeCtx(lf);
+        if (filename != NULL)
+            free(filename);
        return 0;
    }

@ -472,6 +471,7 @@ static int AlertUnifiedLogTestRotate01(void)
 error:
    AlertUnifiedLogThreadDeinit(&tv, data);
    if (oc != NULL) AlertUnifiedLogDeInitCtx(oc);
+    if (filename != NULL) free(filename);
    return r;
 }
 #endif /* UNITTESTS */
--- a/src/alert-unified2-alert.c
+++ b/src/alert-unified2-alert.c
@ -1059,12 +1059,11 @@ static int Unified2TestRotate01(void)

    memset(&tv, 0, sizeof(ThreadVars));

-    if (lf == NULL)
-        return 0;
-
    ret = Unified2AlertThreadInit(&tv, oc, &data);
    if (ret == TM_ECODE_FAILED) {
        LogFileFreeCtx(lf);
+        if (filename != NULL)
+            free(filename);
        return 0;
    }

--- a/src/detect-engine-address.c
+++ b/src/detect-engine-address.c
@ -993,7 +993,11 @@ int DetectAddressParse2(DetectAddressHead *gh, DetectAddressHead *ghn, char *s,
        } else if (depth == 0 && s[u] == '$') {
            d_set = 1;
        } else if (depth == 0 && u == size - 1) {
-            address[x] = '\0';
+            if (x == 1024) {
+                address[x - 1] = '\0';
+            } else {
+                address[x] = '\0';
+            }
            x = 0;

            if (d_set == 1) {
--- a/src/detect-engine-iponly.c
+++ b/src/detect-engine-iponly.c
@ -402,7 +402,11 @@ IPOnlyCIDRItem *IPOnlyCIDRListParse2(char *s, int negate)
        } else if (depth == 0 && s[u] == '$') {
            d_set = 1;
        } else if (depth == 0 && u == size - 1) {
-            address[x] = '\0';
+            if (x == 1024) {
+                address[x - 1] = '\0';
+            } else {
+                address[x] = '\0';
+            }
            x = 0;

            if (d_set == 1) {
--- a/src/detect-engine-port.c
+++ b/src/detect-engine-port.c
@ -1079,7 +1079,11 @@ static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,
            d_set = 1;
        } else if (depth == 0 && u == size-1) {
            range = 0;
-            address[x] = '\0';
+            if (x == 1024) {
+                address[x - 1] = '\0';
+            } else {
+                address[x] = '\0';
+            }
            SCLogDebug("%s", address);
            x = 0;
            if (d_set == 1) {
--- a/src/detect-fragoffset.c
+++ b/src/detect-fragoffset.c
@ -113,7 +113,7 @@ int DetectFragOffsetMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet
 */
 DetectFragOffsetData *DetectFragOffsetParse (char *fragoffsetstr) {
    DetectFragOffsetData *fragoff = NULL;
-    char *substr[2] = {NULL, NULL};
+    char *substr[3] = {NULL, NULL, NULL};
 #define MAX_SUBSTRINGS 30
    int ret = 0, res = 0;
    int ov[MAX_SUBSTRINGS];
@ -164,14 +164,14 @@ DetectFragOffsetData *DetectFragOffsetParse (char *fragoffsetstr) {

    ByteExtractStringUint16(&fragoff->frag_off, 10, 0, substr[1]);

-    for (i = 0; i < 2; i++) {
+    for (i = 0; i < 3; i++) {
        if (substr[i] != NULL) SCFree(substr[i]);
    }

    return fragoff;

 error:
-    for (i = 0; i < 2; i++) {
+    for (i = 0; i < 3; i++) {
        if (substr[i] != NULL) SCFree(substr[i]);
    }
    if (fragoff != NULL) DetectFragOffsetFree(fragoff);
--- a/src/util-debug.c
+++ b/src/util-debug.c
@ -269,25 +269,38 @@ SCError SCLogMessage(SCLogLevel log_level, char **msg, const char *file,
        printf("Logging module not initialized.  Call SCLogInitLogModule(), "
               "before using the logging API\n");
 #endif
+        if (temp_fmt != NULL)
+            free(temp_fmt);
        return SC_ERR_LOG_MODULE_NOT_INIT;
    }

    if (sc_log_fg_filters_present == 1) {
-        if (SCLogMatchFGFilterWL(file, function, line) != 1)
+        if (SCLogMatchFGFilterWL(file, function, line) != 1) {
+            if (temp_fmt != NULL)
+                free(temp_fmt);
            return SC_ERR_LOG_FG_FILTER_MATCH;
+        }

-        if (SCLogMatchFGFilterBL(file, function, line) != 1)
+        if (SCLogMatchFGFilterBL(file, function, line) != 1) {
+            if (temp_fmt != NULL)
+                free(temp_fmt);
            return SC_ERR_LOG_FG_FILTER_MATCH;
+        }
    }

-    if (sc_log_fd_filters_present == 1 && SCLogMatchFDFilter(function) != 1)
+    if (sc_log_fd_filters_present == 1 && SCLogMatchFDFilter(function) != 1) {
+        if (temp_fmt != NULL)
+            free(temp_fmt);
        return SC_ERR_LOG_FG_FILTER_MATCH;
+    }

 	while ( (temp_fmt = index(temp_fmt, SC_LOG_FMT_PREFIX)) ) {
        if ((temp - *msg) > SC_LOG_MAX_LOG_MSG_LEN) {
            printf("Warning: Log message exceeded message length limit of %d\n",
                   SC_LOG_MAX_LOG_MSG_LEN);
            *msg = *msg + SC_LOG_MAX_LOG_MSG_LEN;
+            if (temp_fmt_h != NULL)
+                free(temp_fmt_h);
            return SC_OK;
        }
        switch(temp_fmt[1]) {
@ -414,6 +427,8 @@ SCError SCLogMessage(SCLogLevel log_level, char **msg, const char *file,
    return SC_OK;

 error:
+    if (temp_fmt != NULL)
+        free(temp_fmt_h);
    return SC_ERR_SPRINTF;
 }

--- a/src/util-radix-tree.c
+++ b/src/util-radix-tree.c
@ -974,8 +974,8 @@ SCRadixNode *SCRadixAddKeyIPV4String(const char *str, SCRadixTree *tree, void *u
    struct in_addr addr;

    /* Make a copy of the string so it can be modified */
-    strncpy(ip_str, str, sizeof(ip_str) - 1);
-    *(ip_str + sizeof(ip_str)) = '\0';
+    strncpy(ip_str, str, sizeof(ip_str) - 2);
+    *(ip_str + (sizeof(ip_str) - 1)) = '\0';

    /* Does it have a mask? */
    if (NULL != (mask_str = strchr(ip_str, '/'))) {
@ -1022,8 +1022,8 @@ SCRadixNode *SCRadixAddKeyIPV6String(const char *str, SCRadixTree *tree, void *u
    struct in6_addr addr;

    /* Make a copy of the string so it can be modified */
-    strncpy(ip_str, str, sizeof(ip_str) - 1);
-    *(ip_str + sizeof(ip_str)) = '\0';
+    strncpy(ip_str, str, sizeof(ip_str) - 2);
+    *(ip_str + sizeof(ip_str) - 1) = '\0';

    /* Does it have a mask? */
    if (NULL != (mask_str = strchr(ip_str, '/'))) {
--- a/src/util-spm.c
+++ b/src/util-spm.c
@ -968,7 +968,7 @@ int UtilSpmSearchOffsetsTest01() {
    int i, j;
    uint8_t *found = NULL;
    for (i = 0; i < 26; i++) {
-        for (j = 0; j <= 26 - i; j++) {
+        for (j = 0; j <= (26 - i); j++) {
            found = BasicSearchWrapper((uint8_t *)text[i][j], (uint8_t *)needle[i], 1);
            if (found == 0) {
                printf("Error1 searching for %s in text %s\n", needle[i], text[i][j]);
@ -1403,7 +1403,7 @@ int UtilSpmSearchOffsetsNocaseTest01() {
    int i, j;
    uint8_t *found = NULL;
    for (i = 0; i < 26; i++) {
-        for (j = 0; j <= 26-i; j++) {
+        for (j = 0; j <= (26-i); j++) {
            found = BasicSearchNocaseWrapper((uint8_t *)text[i][j], (uint8_t *)needle[i], 1);
            if (found == 0) {
                printf("Error1 searching for %s in text %s\n", needle[i], text[i][j]);