Project

General

Profile

Actions

Bug #3775

closed

Memory leak in libhtp in error case

Added by Philippe Antoine almost 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22709

Stack trace is

Direct leak of 31 byte(s) in 1 object(s) allocated from:
    #0 0x51dbad in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x5565e0 in bstr_alloc libhtp/htp/bstr.c:44:15
    #2 0x5565e0 in bstr_dup_mem libhtp/htp/bstr.c:259:18
    #3 0x57162c in htp_parse_request_line_generic_ex libhtp/htp/htp_request_generic.c:326:26
    #4 0x56e11d in htp_connp_REQ_LINE_complete libhtp/htp/htp_request.c:797:9
    #5 0x56f4a0 in htp_connp_req_data libhtp/htp/htp_request.c:1048:27
    #6 0x5502d2 in LLVMFuzzerTestOneInput libhtp/test/fuzz/fuzz_htp.c:190:18

Reproducer is

<<<

>>>
CONNECT ˇ ˇ

<<<

<<<

<<<
  HTTP 101

>>>
GET
:

CONNECT


Related issues 1 (0 open1 closed)

Related to Suricata - Task #3922: libhtp 0.5.35ClosedPhilippe AntoineActions
Actions #1

Updated by Philippe Antoine almost 4 years ago

Bug analysis.

At some point the in connection (from client to server) gets in an error state

Then, the function htp_connp_RES_BODY_DETERMINE does connp->in_status = HTP_STREAM_TUNNEL; with the response code 101 without checking that the status was not in error

Later, the connection gets closed.
There the check passes because of the previous change :

if (connp->in_status != HTP_STREAM_ERROR)
        connp->in_status = HTP_STREAM_CLOSED;

And we process htp_connp_REQ_LINE_complete and its allocations again, even if we have no data

Actions #3

Updated by Philippe Antoine almost 4 years ago

  • Status changed from Assigned to In Review

PR in gitlab

Actions #4

Updated by Andreas Herz over 3 years ago

  • Assignee set to Philippe Antoine
Actions #5

Updated by Philippe Antoine over 3 years ago

Actions #6

Updated by Philippe Antoine over 3 years ago

Actions #7

Updated by Philippe Antoine over 3 years ago

Actions #8

Updated by Victor Julien over 3 years ago

  • Target version changed from 6.0.0beta1 to 6.0.0rc1
Actions #9

Updated by Victor Julien over 3 years ago

  • Target version changed from 6.0.0rc1 to 6.0.0
Actions #10

Updated by Victor Julien over 3 years ago

Actions #11

Updated by Victor Julien over 3 years ago

Actions #12

Updated by Victor Julien over 3 years ago

  • Status changed from In Review to Closed
Actions #13

Updated by Victor Julien over 3 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF