Bug #6815
closedutil/decode-mime: Possible derefernce of nullptr
Description
There is a PopStack method, which have transitive check for stack->top item and if its not null, curr->next(stack->top->next) field will be used, after that function try to release allocated memory for stack->top->bdef field.
static MimeDecStackNode * PopStack(MimeDecStack *stack)
{
/* Move stack pointer to next item */
MimeDecStackNode *curr = stack->top;
if (curr != NULL) { <---- Check that current top item not null
curr = curr->next;
}
/* Always free alloc'd memory */
SCFree(stack->top->bdef); <---- Free allocated memory for bdef field of top item
/* Now move head to free nodes list */
if (stack->free_nodes_cnt < STACK_FREE_NODES) {
stack->top->next = stack->free_nodes;
stack->free_nodes = stack->top;
stack->free_nodes_cnt++;
} else {
SCFree(stack->top);
}
stack->top = curr;
/* Return a pointer to the top of the stack */
return curr;
}
Current behaviour could lead to dereference of nullptr for cases when stack->top is null
Updated by Alexey Simakov 9 months ago
Honestly, I wasnt unable to found some execution paths to case where stack->top null when calling PopStack happened, so probably there is not direct affection on current functionality, but anyway current behaviour seems incorrect.
Could I count this like issue, or probably there is some background for current behaviour?
Updated by Philippe Antoine 9 months ago
- Related to Feature #3487: mime: multi-part parser in Rust added
Updated by Philippe Antoine 6 months ago
- Status changed from New to Closed
Fixed in master by https://github.com/OISF/suricata/pull/11225
Feel free to reopen with more details if you manage to trigger the NULL deref on 7