Project

General

Profile

Actions

Bug #6815

open

util/decode-mime: Possible derefernce of nullptr

Added by Alexey Simakov 3 months ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Target version:
Affected Versions:
Effort:
low
Difficulty:
low
Label:

Description

There is a PopStack method, which have transitive check for stack->top item and if its not null, curr->next(stack->top->next) field will be used, after that function try to release allocated memory for stack->top->bdef field.

static MimeDecStackNode * PopStack(MimeDecStack *stack)
{
    /* Move stack pointer to next item */
    MimeDecStackNode *curr = stack->top;
    if (curr != NULL) { <---- Check that current top item not null
        curr = curr->next;
    }

    /* Always free alloc'd memory */
    SCFree(stack->top->bdef); <---- Free allocated memory for bdef field of top item

    /* Now move head to free nodes list */
    if (stack->free_nodes_cnt < STACK_FREE_NODES) {
        stack->top->next = stack->free_nodes;
        stack->free_nodes = stack->top;
        stack->free_nodes_cnt++;
    } else {
        SCFree(stack->top);
    }
    stack->top = curr;

    /* Return a pointer to the top of the stack */
    return curr;
}

Current behaviour could lead to dereference of nullptr for cases when stack->top is null


Related issues 1 (1 open0 closed)

Related to Suricata - Feature #3487: multi-part parser in RustIn ReviewPhilippe AntoineActions
Actions #1

Updated by Alexey Simakov 3 months ago

Honestly, I wasnt unable to found some execution paths to case where stack->top null when calling PopStack happened, so probably there is not direct affection on current functionality, but anyway current behaviour seems incorrect.

Could I count this like issue, or probably there is some background for current behaviour?

Actions #2

Updated by Philippe Antoine 3 months ago

Actions

Also available in: Atom PDF