Bug #197: Crash in prelude_connection_permission_new_from_string() with permission="idmef" - Libprelude - UNITY 360

Bug #197

Crash in prelude_connection_permission_new_from_string() with permission="idmef"

Added by about 17 years ago. Updated almost 15 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Yoann VANDOORSELAERE

Target version:

0.9.13

Start date:

Due date:

% Done:

Resolution:

fixed

Description

The crash in is libprelude, file prelude-connection.c, line 891:

        tmp = buf;
        while ( (tptr = strsep(&tmp, ":")) ) {

                while ( *tptr == ' ' ) tptr++;
                if ( ! *tptr )
                        continue;

                for ( i = 0; tbl[i].name; i++ ) {
                        if ( strcmp(tbl[i].name, tptr) != 0 )
                                continue;

                        break;
                }

                if ( ! tbl[i].name )
                        return prelude_error_verbose(PRELUDE_ERROR_UNKNOWN_PERMISSION_TYPE, "unknown permission type '%s'", tptr);

                while ( *tmp == ' ' )     @@@ HERE @@@
                        tmp++;
(...)

If buffer doesn't contains separator (':'), strsep() set tmp to NULL, and so *tmp crash.

History

#1 Updated by Yoann VANDOORSELAERE about 17 years ago

Status changed from New to Assigned

#2 Updated by about 17 years ago

The analysis makes no sense. strsep doesn't set tmp, it only reads from it. And if strsep returns a NULL then the while loop would not be entered.

#3 Updated by Yoann VANDOORSELAERE about 17 years ago

Replying to [comment:2 anonymous]:

The analysis makes no sense. strsep doesn't set tmp, it only reads from it. And if strsep returns a NULL then the while loop would not be entered.

Victor is correct, strsep will:

Overwrite the delimiter found in the input argument with \0.
Update the input argument so that it point to the remaining portion of the string.
Return a pointer to the start of the string if no delimiter was found.

For reference, here is the strsep manual page:

char *strsep(char **stringp, const char *delim);

_If *stringp is NULL, the strsep() function returns NULL and does nothing else. Otherwise, this function finds the first token in the string *stringp, where tokens are delimited by symbols in the string delim. This token is terminated with a

#4 Updated by about 17 years ago

ack I am indeed on drugs!

#5 Updated by Yoann VANDOORSELAERE about 17 years ago

Status changed from Assigned to Closed
Resolution set to fixed

(In r8813) Prevent NULL pointer dereference if no permission is specified after the permission type. Fix #197.

#6 Updated by Yoann VANDOORSELAERE almost 15 years ago

Project changed from PRELUDE SIEM to Libprelude
Category deleted (1)
Target version deleted (~~0.9.13~~)

Also available in: Atom PDF

Project

General

Profile

Issues