Fix couple of cases where incorrect handling of keyword parsing errors would lead to access of uninitialized memory. Found by clang.

14 years ago · 3f47eade6b
parent 7dc4b164a8
commit 3f47eade6b
8 changed files with 63 additions and 34 deletions
--- a/src/detect-flow.c
+++ b/src/detect-flow.c
@ -164,6 +164,7 @@ DetectFlowData *DetectFlowParse (char *flowstr)
        SCLogError(SC_ERR_PCRE_MATCH, "parse error, ret %" PRId32 ", string %s", ret, flowstr);
        goto error;
    }
+
    if (ret > 1) {
        const char *str_ptr;
        res = pcre_get_substring((char *)flowstr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
@ -198,7 +199,7 @@ DetectFlowData *DetectFlowParse (char *flowstr)
    fd->match_cnt = 0;

    int i;
-    for (i = 0; i < (ret -1); i++) {
+    for (i = 0; i < (ret - 1); i++) {
        if (args[i]) {
            /* inspect our options and set the flags */
            if (strcasecmp(args[i], "established") == 0) {
@ -265,15 +266,20 @@ DetectFlowData *DetectFlowParse (char *flowstr)
        }
    }
    for (i = 0; i < (ret -1); i++){
-        if (args[i] != NULL) SCFree(args[i]);
+        if (args[i] != NULL)
+            SCFree(args[i]);
    }
    return fd;

 error:
-    for (i = 0; i < (ret -1); i++){
-        if (args[i] != NULL) SCFree(args[i]);
+    /* ret can be higher than 3 */
+    for (i = 0; i < (ret - 1) && i < 4; i++){
+        if (args[i] != NULL)
+            SCFree(args[i]);
    }
-    if (fd != NULL) DetectFlowFree(fd);
+
+    if (fd != NULL)
+        DetectFlowFree(fd);
    return NULL;

 }
--- a/src/detect-icode.c
+++ b/src/detect-icode.c
@ -197,15 +197,18 @@ DetectICodeData *DetectICodeParse(char *icodestr) {
    }

    for (i = 0; i < (ret-1); i++) {
-        if (args[i] != NULL) SCFree(args[i]);
+        if (args[i] != NULL)
+            SCFree(args[i]);
    }
    return icd;

 error:
-    for (i = 0; i < (ret-1); i++) {
-        if (args[i] != NULL) SCFree(args[i]);
+    for (i = 0; i < (ret-1) && i < 4; i++) {
+        if (args[i] != NULL)
+            SCFree(args[i]);
    }
-    if (icd != NULL) DetectICodeFree(icd);
+    if (icd != NULL)
+        DetectICodeFree(icd);
    return NULL;
 }

--- a/src/detect-ipproto.c
+++ b/src/detect-ipproto.c
@ -114,6 +114,7 @@ static DetectIPProtoData *DetectIPProtoParse(const char *optstr)
        SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, optstr);
        goto error;
    }
+
    for (i = 0; i < (ret - 1); i++) {
        res = pcre_get_substring((char *)optstr, ov, MAX_SUBSTRINGS,
                                 i + 1, &str_ptr);
@ -153,15 +154,18 @@ static DetectIPProtoData *DetectIPProtoParse(const char *optstr)
    }

    for (i = 0; i < (ret - 1); i++){
-        if (args[i] != NULL) SCFree(args[i]);
+        if (args[i] != NULL)
+            SCFree(args[i]);
    }
    return data;

 error:
-    for (i = 0; i < (ret - 1); i++){
-        if (args[i] != NULL) SCFree(args[i]);
+    for (i = 0; i < (ret - 1) && i < 3; i++){
+        if (args[i] != NULL)
+            SCFree(args[i]);
    }
-    if (data != NULL) SCFree(data);
+    if (data != NULL)
+        SCFree(data);
    return NULL;
 }

--- a/src/detect-isdataat.c
+++ b/src/detect-isdataat.c
@ -201,7 +201,8 @@ DetectIsdataatData *DetectIsdataatParse (char *isdataatstr)
        }

        for (i = 0; i < (ret -1); i++) {
-            if (args[i] != NULL) SCFree(args[i]);
+            if (args[i] != NULL)
+                SCFree(args[i]);
        }

        return idad;
@ -210,11 +211,13 @@ DetectIsdataatData *DetectIsdataatParse (char *isdataatstr)

 error:

-    for (i = 0; i < (ret -1); i++){
-        if (args[i] != NULL) SCFree(args[i]);
+    for (i = 0; i < (ret -1) && i < 4; i++){
+        if (args[i] != NULL)
+            SCFree(args[i]);
    }

-    if (idad != NULL) DetectIsdataatFree(idad);
+    if (idad != NULL)
+        DetectIsdataatFree(idad);
    return NULL;

 }
--- a/src/detect-itype.c
+++ b/src/detect-itype.c
@ -197,15 +197,18 @@ DetectITypeData *DetectITypeParse(char *itypestr) {
    }

    for (i = 0; i < (ret-1); i++) {
-        if (args[i] != NULL) SCFree(args[i]);
+        if (args[i] != NULL)
+            SCFree(args[i]);
    }
    return itd;

 error:
-    for (i = 0; i < (ret-1); i++) {
-        if (args[i] != NULL) SCFree(args[i]);
+    for (i = 0; i < (ret-1) && i < 4; i++) {
+        if (args[i] != NULL)
+            SCFree(args[i]);
    }
-    if (itd != NULL) DetectITypeFree(itd);
+    if (itd != NULL)
+        DetectITypeFree(itd);
    return NULL;
 }

--- a/src/detect-rpc.c
+++ b/src/detect-rpc.c
@ -171,6 +171,7 @@ DetectRpcData *DetectRpcParse (char *rpcstr)
        SCLogError(SC_ERR_PCRE_MATCH, "parse error, ret %" PRId32 ", string %s", ret, rpcstr);
        goto error;
    }
+
    if (ret > 1) {
        const char *str_ptr;
        res = pcre_get_substring((char *)rpcstr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
@ -242,15 +243,18 @@ DetectRpcData *DetectRpcParse (char *rpcstr)
            }
    }
    for (i = 0; i < (ret -1); i++){
-        if (args[i] != NULL) SCFree(args[i]);
+        if (args[i] != NULL)
+            SCFree(args[i]);
    }
    return rd;

 error:
-    for (i = 0; i < (ret -1); i++){
-        if (args[i] != NULL) SCFree(args[i]);
+    for (i = 0; i < (ret -1) && i < 4; i++){
+        if (args[i] != NULL)
+            SCFree(args[i]);
    }
-    if (rd != NULL) DetectRpcFree(rd);
+    if (rd != NULL)
+        DetectRpcFree(rd);
    return NULL;

 }
--- a/src/detect-window.c
+++ b/src/detect-window.c
@ -142,7 +142,6 @@ DetectWindowData *DetectWindowParse(char *windowstr) {
    if (wd == NULL)
        goto error;

-
    if (ret > 1) {
        const char *str_ptr;
        res = pcre_get_substring((char *)windowstr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
@ -173,15 +172,18 @@ DetectWindowData *DetectWindowParse(char *windowstr) {

 	int i = 0;
    for (i = 0; i < (ret -1); i++){
-        if (args[i] != NULL) SCFree(args[i]);
+        if (args[i] != NULL)
+            SCFree(args[i]);
    }
    return wd;

 error:
-    for (i = 0; i < (ret -1); i++){
-        if (args[i] != NULL) SCFree(args[i]);
+    for (i = 0; i < (ret -1) && i < 4; i++){
+        if (args[i] != NULL)
+            SCFree(args[i]);
    }
-    if (wd != NULL) DetectWindowFree(wd);
+    if (wd != NULL)
+        DetectWindowFree(wd);
    return NULL;

 }
--- a/src/detect.c
+++ b/src/detect.c
@ -5512,7 +5512,7 @@ static int SigTest20Wm (void) {
 static int SigTest21Real (int mpm_type) {
    ThreadVars th_v;
    memset(&th_v, 0, sizeof(th_v));
-    DetectEngineThreadCtx *det_ctx;
+    DetectEngineThreadCtx *det_ctx = NULL;
    int result = 0;

    Flow f;
@ -5572,10 +5572,14 @@ static int SigTest21Real (int mpm_type) {

    result = 1;
 end:
-    SigGroupCleanup(de_ctx);
-    SigCleanSignatures(de_ctx);
+    if (de_ctx != NULL) {
+        SigGroupCleanup(de_ctx);
+        SigCleanSignatures(de_ctx);

-    DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
+        if (det_ctx != NULL) {
+            DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
+        }
+    }
    DetectEngineCtxFree(de_ctx);
    UTHFreePackets(&p1, 1);
    UTHFreePackets(&p2, 1);