Bug #197
Crash in prelude_connection_permission_new_from_string() with permission="idmef"
0%
Description
The crash in is libprelude, file prelude-connection.c, line 891:
tmp = buf; while ( (tptr = strsep(&tmp, ":")) ) { while ( *tptr == ' ' ) tptr++; if ( ! *tptr ) continue; for ( i = 0; tbl[i].name; i++ ) { if ( strcmp(tbl[i].name, tptr) != 0 ) continue; break; } if ( ! tbl[i].name ) return prelude_error_verbose(PRELUDE_ERROR_UNKNOWN_PERMISSION_TYPE, "unknown permission type '%s'", tptr); while ( *tmp == ' ' ) @@@ HERE @@@ tmp++; (...)
If buffer doesn't contains separator (':'), strsep() set tmp to NULL, and so *tmp crash.
History
#1 Updated by Yoann VANDOORSELAERE over 16 years ago
- Status changed from New to Assigned
#2 Updated by over 16 years ago
The analysis makes no sense. strsep doesn't set tmp, it only reads from it. And if strsep returns a NULL then the while loop would not be entered.
#3 Updated by Yoann VANDOORSELAERE over 16 years ago
Replying to [comment:2 anonymous]:
Victor is correct, strsep will:The analysis makes no sense. strsep doesn't set tmp, it only reads from it. And if strsep returns a NULL then the while loop would not be entered.
- Overwrite the delimiter found in the input argument with \0.
- Update the input argument so that it point to the remaining portion of the string.
- Return a pointer to the start of the string if no delimiter was found.
For reference, here is the strsep manual page:
char *strsep(char **stringp, const char *delim);
_If *stringp is NULL, the strsep() function returns NULL and does nothing else. Otherwise, this function finds the first token in the string *stringp, where tokens are delimited by symbols in the string delim. This token is terminated with a
#4 Updated by over 16 years ago
ack I am indeed on drugs!
#5 Updated by Yoann VANDOORSELAERE over 16 years ago
- Status changed from Assigned to Closed
- Resolution set to fixed
(In r8813) Prevent NULL pointer dereference if no permission is specified after the permission type. Fix #197.
#6 Updated by Yoann VANDOORSELAERE over 14 years ago
- Project changed from PRELUDE SIEM to Libprelude
- Category deleted (
1) - Target version deleted (
0.9.13)