Actions
Bug #3775
closedMemory leak in libhtp in error case
Affected Versions:
Effort:
Difficulty:
Label:
Description
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22709
Stack trace is
Direct leak of 31 byte(s) in 1 object(s) allocated from: #0 0x51dbad in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x5565e0 in bstr_alloc libhtp/htp/bstr.c:44:15 #2 0x5565e0 in bstr_dup_mem libhtp/htp/bstr.c:259:18 #3 0x57162c in htp_parse_request_line_generic_ex libhtp/htp/htp_request_generic.c:326:26 #4 0x56e11d in htp_connp_REQ_LINE_complete libhtp/htp/htp_request.c:797:9 #5 0x56f4a0 in htp_connp_req_data libhtp/htp/htp_request.c:1048:27 #6 0x5502d2 in LLVMFuzzerTestOneInput libhtp/test/fuzz/fuzz_htp.c:190:18
Reproducer is
<<< >>> CONNECT ˇ ˇ <<< <<< <<< HTTP 101 >>> GET : CONNECT
Updated by Philippe Antoine over 4 years ago
Bug analysis.
At some point the in connection (from client to server) gets in an error state
Then, the function htp_connp_RES_BODY_DETERMINE
does connp->in_status = HTP_STREAM_TUNNEL;
with the response code 101 without checking that the status was not in error
Later, the connection gets closed.
There the check passes because of the previous change :
if (connp->in_status != HTP_STREAM_ERROR)
connp->in_status = HTP_STREAM_CLOSED;
And we process htp_connp_REQ_LINE_complete
and its allocations again, even if we have no data
Updated by Philippe Antoine over 4 years ago
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23043 is another variant
Updated by Philippe Antoine over 4 years ago
- Related to Task #3824: libhtp 0.5.34 added
Updated by Philippe Antoine over 4 years ago
- Related to deleted (Task #3824: libhtp 0.5.34)
Updated by Philippe Antoine over 4 years ago
- Blocks Task #3824: libhtp 0.5.34 added
Updated by Victor Julien over 4 years ago
- Target version changed from 6.0.0beta1 to 6.0.0rc1
Updated by Victor Julien about 4 years ago
- Target version changed from 6.0.0rc1 to 6.0.0
Updated by Victor Julien about 4 years ago
- Blocks deleted (Task #3824: libhtp 0.5.34)
Updated by Victor Julien about 4 years ago
- Related to Task #3922: libhtp 0.5.35 added
Updated by Victor Julien about 4 years ago
- Status changed from In Review to Closed
Actions