dcerpc: fix error handling for alloc errors

Fix error handling of stub parsers. In case of SCRealloc error the function would return a non-error code. This could possibly lead to memory corruption. Reported-By: The Yahoo pentest team
11 years ago · 5cd7bb2f14
parent 7426a9c645
commit 5cd7bb2f14
2 changed files with 6 additions and 4 deletions
--- a/src/app-layer-dcerpc-udp.c
+++ b/src/app-layer-dcerpc-udp.c
@ -45,6 +45,8 @@ enum {
 	DCERPC_FIELD_MAX,
 };

+/** \internal
+ *  \retval stub_len or 0 in case of error */
 static uint32_t FragmentDataParser(Flow *f, void *dcerpcudp_state,
                                   AppLayerParserState *pstate,
                                   uint8_t *input, uint32_t input_len)
@ -88,7 +90,7 @@ static uint32_t FragmentDataParser(Flow *f, void *dcerpcudp_state,
        SCFree(*stub_data_buffer);
        *stub_data_buffer = NULL;
        SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory");
-        goto end;
+        SCReturnUInt(0);
    }

    *stub_data_buffer = ptmp;
@ -110,7 +112,6 @@ static uint32_t FragmentDataParser(Flow *f, void *dcerpcudp_state,
    }
 #endif

-end:
    SCReturnUInt((uint32_t)stub_len);
 }

--- a/src/app-layer-dcerpc.c
+++ b/src/app-layer-dcerpc.c
@ -1189,6 +1189,8 @@ static uint32_t DCERPCParseREQUEST(DCERPC *dcerpc, uint8_t *input, uint32_t inpu
    SCReturnUInt((uint32_t)(p - input));
 }

+/** \internal
+ *  \retval stub_len or 0 in case of error */
 static uint32_t StubDataParser(DCERPC *dcerpc, uint8_t *input, uint32_t input_len)
 {
    SCEnter();
@ -1248,7 +1250,7 @@ static uint32_t StubDataParser(DCERPC *dcerpc, uint8_t *input, uint32_t input_le
        SCFree(*stub_data_buffer);
        *stub_data_buffer = NULL;
        SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory");
-        goto end;
+        SCReturnUInt(0);
    }
    *stub_data_buffer = ptmp;

@ -1272,7 +1274,6 @@ static uint32_t StubDataParser(DCERPC *dcerpc, uint8_t *input, uint32_t input_le
    }
 #endif

-end:
    SCReturnUInt((uint32_t)stub_len);
 }