Project

General

Profile

Bug #197

Crash in prelude_connection_permission_new_from_string() with permission="idmef"

Added by over 16 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Yoann VANDOORSELAERE
Target version:
0.9.13
Start date:
Due date:
% Done:

0%

Resolution:
fixed

Description

The crash in is libprelude, file prelude-connection.c, line 891:

        tmp = buf;
        while ( (tptr = strsep(&tmp, ":")) ) {

                while ( *tptr == ' ' ) tptr++;
                if ( ! *tptr )
                        continue;

                for ( i = 0; tbl[i].name; i++ ) {
                        if ( strcmp(tbl[i].name, tptr) != 0 )
                                continue;

                        break;
                }

                if ( ! tbl[i].name )
                        return prelude_error_verbose(PRELUDE_ERROR_UNKNOWN_PERMISSION_TYPE, "unknown permission type '%s'", tptr);

                while ( *tmp == ' ' )     @@@ HERE @@@
                        tmp++;
(...)

If buffer doesn't contains separator (':'), strsep() set tmp to NULL, and so *tmp crash.

History

#1 Updated by Yoann VANDOORSELAERE over 16 years ago

  • Status changed from New to Assigned

#2 Updated by over 16 years ago

The analysis makes no sense. strsep doesn't set tmp, it only reads from it. And if strsep returns a NULL then the while loop would not be entered.

#3 Updated by Yoann VANDOORSELAERE over 16 years ago

Replying to [comment:2 anonymous]:

The analysis makes no sense. strsep doesn't set tmp, it only reads from it. And if strsep returns a NULL then the while loop would not be entered.

Victor is correct, strsep will:
  • Overwrite the delimiter found in the input argument with \0.
  • Update the input argument so that it point to the remaining portion of the string.
  • Return a pointer to the start of the string if no delimiter was found.

For reference, here is the strsep manual page:

char *strsep(char **stringp, const char *delim);

_If *stringp is NULL, the strsep() function returns NULL and does nothing else. Otherwise, this function finds the first token in the string *stringp, where tokens are delimited by symbols in the string delim. This token is terminated with a

#4 Updated by over 16 years ago

ack :) I am indeed on drugs!

#5 Updated by Yoann VANDOORSELAERE over 16 years ago

  • Status changed from Assigned to Closed
  • Resolution set to fixed

(In r8813) Prevent NULL pointer dereference if no permission is specified after the permission type. Fix #197.

#6 Updated by Yoann VANDOORSELAERE over 14 years ago

  • Project changed from PRELUDE SIEM to Libprelude
  • Category deleted (1)
  • Target version deleted (0.9.13)

Also available in: Atom PDF