This repository has been archived by the owner on Oct 23, 2020. It is now read-only.
Missing Sanity Checks and Possible NULL pointer dereference(s) in tcptrace 6.6.7 #1
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hello All,
instances in the code where calls to malloc() are not checked for a
return value of NULL, indicating failure. Also, in some cases, calls
to malloc() are followed by calls to memset() but if the address value
sent to memset() is NULL, the program will abort with a segmentation
violation/fault. The patch files below should address/correct
these issues:
In file mod_http.c, there is a call to malloc() which is not checked
for a return value of NULL, indicating failure. The patch file below
addresses this issue:
--- mod_http.c.orig 2015-10-15 09:25:09.753604594 -0700
+++ mod_http.c 2015-10-15 09:27:52.001225432 -0700
@@ -914,6 +914,10 @@
int i = 0;
int j = 0;
char *buf = (char *)malloc(len);
char ascii[2];
while (i < len) {
if (s[i] == '%') {
In file 'mod_inbounds.c', there is a call to malloc() which is not
checked for a return value of NULL, indicating failure.
--- mod_inbounds.c.orig 2015-10-15 09:30:23.056423771 -0700
+++ mod_inbounds.c 2015-10-15 09:31:34.386489456 -0700
@@ -285,6 +285,10 @@
return(0); /* don't call me again */
mod_info->last_tcp_actual_time = current_time;
mod_info->last_udp_scheduled_time = current_time;
In file 'mod_realtime.c', there is a call to malloc() which is not
checked for a return value of NULL, indicating failure.
--- mod_realtime.c.orig 2015-10-15 09:33:07.506324508 -0700
+++ mod_realtime.c 2015-10-15 09:34:09.609217466 -0700
@@ -165,6 +165,10 @@
return(0); /* don't call me again */
mod_info = (rtinfo *)malloc(sizeof(rtinfo));
mod_info->last_scheduled_time = current_time;
mod_info->last_actual_time = current_time;
mod_info->conn_head = NULL;
In file 'output.c', there are two calls to malloc() which are not
checked for a return value of NULL, indicating failure. However,
immediately after the calls to malloc(), calls to memset() are made
with the return value from malloc(), but if this value is NULL, the
program will abort with a segmentation violation/fault. The patch file
below addresses/corrects these issues:
--- output.c.orig 2015-10-15 09:35:25.499862777 -0700
+++ output.c 2015-10-15 09:38:15.528472539 -0700
@@ -1084,6 +1084,10 @@
if(csv || tsv) {
/* Initialize the separator buffer */
sp = (char *)malloc(sizeof(char *) * 2);
/* Set it /
if(csv)
@@ -1102,6 +1106,10 @@
if(strncmp(sv, "\t", 2) == 0) {
/ Initialize the separator buffer and set it */
sp = (char *)malloc(sizeof(char *) * 2);
snprintf(sp, sizeof(sp), "\t");
}
In file 'output.c', there are three calls to malloc() which are not
checked for a return value of NULL, indicating failure. However,
immediately after one of the calls to malloc(), a call to memset() is
made with the return value from malloc(), but if this value is NULL,
the program will abort with a segmentation violation/fault.
The patch file below addresses/corrects these issues:
--- tcptrace.c.orig 2015-10-15 09:39:55.627194572 -0700
+++ tcptrace.c 2015-10-15 09:44:02.207533665 -0700
@@ -741,6 +741,10 @@
* prints a '#' before each header line if --csv/--tsv is requested.
*/
comment = (char *)malloc(sizeof(char *) * 2);
memset(comment, 0, sizeof(comment));
if(csv || tsv || (sv != NULL))
snprintf(comment, sizeof(comment), "#");
@@ -1569,6 +1573,10 @@
/* (very pessimistically) make the argv array */
argv = malloc(sizeof(char *) * ((strlen(buf)/2)+1));
/* skip leading blanks _/
while ((_buf != '\00') && (isspace((int)*buf))) {
@@ -1628,6 +1636,10 @@
int rc_len=strlen(home)+strlen(TCPTRACE_RC_FILE)+2;
rc_path = malloc(rc_len);
snprintf(rc_path,rc_len, "%s/%s", home, TCPTRACE_RC_FILE);
if (debug>1)
FYI, './configure' && 'make' results in a clean configure and build
with the above patch files.
Bill Parker (wp02855 at gmail dot com)
The text was updated successfully, but these errors were encountered: