Project

General

Profile

Actions
Copy link

Bug #6815

closed

util/decode-mime: Possible derefernce of nullptr

Added by Alexey Simakov 8 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Alexey Simakov
Target version:
TBD
Affected Versions:
7.0.0
Effort:
low
Difficulty:
low
Label:

Description

There is a PopStack method, which have transitive check for stack->top item and if its not null, curr->next(stack->top->next) field will be used, after that function try to release allocated memory for stack->top->bdef field.

static MimeDecStackNode * PopStack(MimeDecStack *stack)
{
    /* Move stack pointer to next item */
    MimeDecStackNode *curr = stack->top;
    if (curr != NULL) { <---- Check that current top item not null
        curr = curr->next;
    }

    /* Always free alloc'd memory */
    SCFree(stack->top->bdef); <---- Free allocated memory for bdef field of top item

    /* Now move head to free nodes list */
    if (stack->free_nodes_cnt < STACK_FREE_NODES) {
        stack->top->next = stack->free_nodes;
        stack->free_nodes = stack->top;
        stack->free_nodes_cnt++;
    } else {
        SCFree(stack->top);
    }
    stack->top = curr;

    /* Return a pointer to the top of the stack */
    return curr;
}

Current behaviour could lead to dereference of nullptr for cases when stack->top is null

Related issues 1 (0 open1 closed)

Related to Suricata - Feature #3487: mime: multi-part parser in RustClosedPhilippe AntoineActions
Actions
Copy link

Also available in: Atom PDF