From cf2d254cc6f6ba84a696e474f6b9d9fb588d219b Mon Sep 17 00:00:00 2001 From: Gurvinder Singh Date: Sat, 17 Apr 2010 22:37:58 +0200 Subject: [PATCH] fixed the memory leaks and buffer overflows reported by parfait --- src/alert-unified-alert.c | 6 +++--- src/alert-unified-log.c | 6 +++--- src/alert-unified2-alert.c | 5 ++--- src/detect-engine-address.c | 6 +++++- src/detect-engine-iponly.c | 6 +++++- src/detect-engine-port.c | 6 +++++- src/detect-fragoffset.c | 6 +++--- src/util-debug.c | 21 ++++++++++++++++++--- src/util-radix-tree.c | 8 ++++---- src/util-spm.c | 4 ++-- 10 files changed, 50 insertions(+), 24 deletions(-) diff --git a/src/alert-unified-alert.c b/src/alert-unified-alert.c index 75898bd5dc..80f4a6dbfc 100644 --- a/src/alert-unified-alert.c +++ b/src/alert-unified-alert.c @@ -429,12 +429,11 @@ static int AlertUnifiedAlertTestRotate01(void) memset(&tv, 0, sizeof(ThreadVars)); - if (lf == NULL) - return 0; - ret = AlertUnifiedAlertThreadInit(&tv, oc, &data); if (ret == TM_ECODE_FAILED) { LogFileFreeCtx(lf); + if (filename != NULL) + free(filename); return 0; } @@ -452,6 +451,7 @@ static int AlertUnifiedAlertTestRotate01(void) error: AlertUnifiedAlertThreadDeinit(&tv, data); if (oc != NULL) AlertUnifiedAlertDeInitCtx(oc); + if (filename != NULL) free(filename); return r; } #endif /* UNITTESTS */ diff --git a/src/alert-unified-log.c b/src/alert-unified-log.c index 71772b19e6..227b98c59f 100644 --- a/src/alert-unified-log.c +++ b/src/alert-unified-log.c @@ -449,12 +449,11 @@ static int AlertUnifiedLogTestRotate01(void) memset(&tv, 0, sizeof(ThreadVars)); - if (lf == NULL) - return 0; - ret = AlertUnifiedLogThreadInit(&tv, oc, &data); if (ret == TM_ECODE_FAILED) { LogFileFreeCtx(lf); + if (filename != NULL) + free(filename); return 0; } @@ -472,6 +471,7 @@ static int AlertUnifiedLogTestRotate01(void) error: AlertUnifiedLogThreadDeinit(&tv, data); if (oc != NULL) AlertUnifiedLogDeInitCtx(oc); + if (filename != NULL) free(filename); return r; } #endif /* UNITTESTS */ diff --git a/src/alert-unified2-alert.c b/src/alert-unified2-alert.c index d52ee6fe57..97e5345fc7 100644 --- a/src/alert-unified2-alert.c +++ b/src/alert-unified2-alert.c @@ -1059,12 +1059,11 @@ static int Unified2TestRotate01(void) memset(&tv, 0, sizeof(ThreadVars)); - if (lf == NULL) - return 0; - ret = Unified2AlertThreadInit(&tv, oc, &data); if (ret == TM_ECODE_FAILED) { LogFileFreeCtx(lf); + if (filename != NULL) + free(filename); return 0; } diff --git a/src/detect-engine-address.c b/src/detect-engine-address.c index ad4a770021..333f94dccb 100644 --- a/src/detect-engine-address.c +++ b/src/detect-engine-address.c @@ -993,7 +993,11 @@ int DetectAddressParse2(DetectAddressHead *gh, DetectAddressHead *ghn, char *s, } else if (depth == 0 && s[u] == '$') { d_set = 1; } else if (depth == 0 && u == size - 1) { - address[x] = '\0'; + if (x == 1024) { + address[x - 1] = '\0'; + } else { + address[x] = '\0'; + } x = 0; if (d_set == 1) { diff --git a/src/detect-engine-iponly.c b/src/detect-engine-iponly.c index 9c188403c7..393832b919 100644 --- a/src/detect-engine-iponly.c +++ b/src/detect-engine-iponly.c @@ -402,7 +402,11 @@ IPOnlyCIDRItem *IPOnlyCIDRListParse2(char *s, int negate) } else if (depth == 0 && s[u] == '$') { d_set = 1; } else if (depth == 0 && u == size - 1) { - address[x] = '\0'; + if (x == 1024) { + address[x - 1] = '\0'; + } else { + address[x] = '\0'; + } x = 0; if (d_set == 1) { diff --git a/src/detect-engine-port.c b/src/detect-engine-port.c index 0383c71354..9dd555891a 100644 --- a/src/detect-engine-port.c +++ b/src/detect-engine-port.c @@ -1079,7 +1079,11 @@ static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s, d_set = 1; } else if (depth == 0 && u == size-1) { range = 0; - address[x] = '\0'; + if (x == 1024) { + address[x - 1] = '\0'; + } else { + address[x] = '\0'; + } SCLogDebug("%s", address); x = 0; if (d_set == 1) { diff --git a/src/detect-fragoffset.c b/src/detect-fragoffset.c index f107281fec..3666793479 100644 --- a/src/detect-fragoffset.c +++ b/src/detect-fragoffset.c @@ -113,7 +113,7 @@ int DetectFragOffsetMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet */ DetectFragOffsetData *DetectFragOffsetParse (char *fragoffsetstr) { DetectFragOffsetData *fragoff = NULL; - char *substr[2] = {NULL, NULL}; + char *substr[3] = {NULL, NULL, NULL}; #define MAX_SUBSTRINGS 30 int ret = 0, res = 0; int ov[MAX_SUBSTRINGS]; @@ -164,14 +164,14 @@ DetectFragOffsetData *DetectFragOffsetParse (char *fragoffsetstr) { ByteExtractStringUint16(&fragoff->frag_off, 10, 0, substr[1]); - for (i = 0; i < 2; i++) { + for (i = 0; i < 3; i++) { if (substr[i] != NULL) SCFree(substr[i]); } return fragoff; error: - for (i = 0; i < 2; i++) { + for (i = 0; i < 3; i++) { if (substr[i] != NULL) SCFree(substr[i]); } if (fragoff != NULL) DetectFragOffsetFree(fragoff); diff --git a/src/util-debug.c b/src/util-debug.c index 7b19798cf6..7e0d34a621 100644 --- a/src/util-debug.c +++ b/src/util-debug.c @@ -269,25 +269,38 @@ SCError SCLogMessage(SCLogLevel log_level, char **msg, const char *file, printf("Logging module not initialized. Call SCLogInitLogModule(), " "before using the logging API\n"); #endif + if (temp_fmt != NULL) + free(temp_fmt); return SC_ERR_LOG_MODULE_NOT_INIT; } if (sc_log_fg_filters_present == 1) { - if (SCLogMatchFGFilterWL(file, function, line) != 1) + if (SCLogMatchFGFilterWL(file, function, line) != 1) { + if (temp_fmt != NULL) + free(temp_fmt); return SC_ERR_LOG_FG_FILTER_MATCH; + } - if (SCLogMatchFGFilterBL(file, function, line) != 1) + if (SCLogMatchFGFilterBL(file, function, line) != 1) { + if (temp_fmt != NULL) + free(temp_fmt); return SC_ERR_LOG_FG_FILTER_MATCH; + } } - if (sc_log_fd_filters_present == 1 && SCLogMatchFDFilter(function) != 1) + if (sc_log_fd_filters_present == 1 && SCLogMatchFDFilter(function) != 1) { + if (temp_fmt != NULL) + free(temp_fmt); return SC_ERR_LOG_FG_FILTER_MATCH; + } while ( (temp_fmt = index(temp_fmt, SC_LOG_FMT_PREFIX)) ) { if ((temp - *msg) > SC_LOG_MAX_LOG_MSG_LEN) { printf("Warning: Log message exceeded message length limit of %d\n", SC_LOG_MAX_LOG_MSG_LEN); *msg = *msg + SC_LOG_MAX_LOG_MSG_LEN; + if (temp_fmt_h != NULL) + free(temp_fmt_h); return SC_OK; } switch(temp_fmt[1]) { @@ -414,6 +427,8 @@ SCError SCLogMessage(SCLogLevel log_level, char **msg, const char *file, return SC_OK; error: + if (temp_fmt != NULL) + free(temp_fmt_h); return SC_ERR_SPRINTF; } diff --git a/src/util-radix-tree.c b/src/util-radix-tree.c index a08f395724..a5e4d279ca 100644 --- a/src/util-radix-tree.c +++ b/src/util-radix-tree.c @@ -974,8 +974,8 @@ SCRadixNode *SCRadixAddKeyIPV4String(const char *str, SCRadixTree *tree, void *u struct in_addr addr; /* Make a copy of the string so it can be modified */ - strncpy(ip_str, str, sizeof(ip_str) - 1); - *(ip_str + sizeof(ip_str)) = '\0'; + strncpy(ip_str, str, sizeof(ip_str) - 2); + *(ip_str + (sizeof(ip_str) - 1)) = '\0'; /* Does it have a mask? */ if (NULL != (mask_str = strchr(ip_str, '/'))) { @@ -1022,8 +1022,8 @@ SCRadixNode *SCRadixAddKeyIPV6String(const char *str, SCRadixTree *tree, void *u struct in6_addr addr; /* Make a copy of the string so it can be modified */ - strncpy(ip_str, str, sizeof(ip_str) - 1); - *(ip_str + sizeof(ip_str)) = '\0'; + strncpy(ip_str, str, sizeof(ip_str) - 2); + *(ip_str + sizeof(ip_str) - 1) = '\0'; /* Does it have a mask? */ if (NULL != (mask_str = strchr(ip_str, '/'))) { diff --git a/src/util-spm.c b/src/util-spm.c index 8e45e31226..49a8111cfc 100644 --- a/src/util-spm.c +++ b/src/util-spm.c @@ -968,7 +968,7 @@ int UtilSpmSearchOffsetsTest01() { int i, j; uint8_t *found = NULL; for (i = 0; i < 26; i++) { - for (j = 0; j <= 26 - i; j++) { + for (j = 0; j <= (26 - i); j++) { found = BasicSearchWrapper((uint8_t *)text[i][j], (uint8_t *)needle[i], 1); if (found == 0) { printf("Error1 searching for %s in text %s\n", needle[i], text[i][j]); @@ -1403,7 +1403,7 @@ int UtilSpmSearchOffsetsNocaseTest01() { int i, j; uint8_t *found = NULL; for (i = 0; i < 26; i++) { - for (j = 0; j <= 26-i; j++) { + for (j = 0; j <= (26-i); j++) { found = BasicSearchNocaseWrapper((uint8_t *)text[i][j], (uint8_t *)needle[i], 1); if (found == 0) { printf("Error1 searching for %s in text %s\n", needle[i], text[i][j]);