Project

General

Profile

Actions
Copy link

Bug #8588

open
DB DB

redis: NULL dereference when allocating stream format

Bug #8588: redis: NULL dereference when allocating stream format

Added by Denis Balashov 1 day ago. Updated 1 day ago.

Status:
Assigned
Priority:
Normal
Assignee:
Denis Balashov
Target version:
9.0.0-beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

In SCConfLogOpenRedis(), when Redis output is configured in stream/xadd mode with a positive stream-maxlen value, Suricata allocates redis_setup.stream_format and immediately passes it to snprintf().

Current code path:

src/util-log-redis.c:
- SCConfLogOpenRedis()
- redis mode is "stream" or "xadd"
- stream-maxlen is greater than 0
- log_ctx->redis_setup.stream_format = SCCalloc(100, sizeof(char))
- snprintf(log_ctx->redis_setup.stream_format, ...)

If SCCalloc() fails, stream_format is NULL and snprintf() dereferences it, causing a crash during Redis output initialization.

Nearby Redis initialization code already uses FatalError() for unrecoverable setup failures, for example when allocating the Redis context or validating required Redis configuration. This suggests the missing allocation check is an oversight.

Proposed fix:
Check redis_setup.stream_format after SCCalloc() and call FatalError() if allocation fails, before passing it to snprintf().

Patch branch:
https://github.com/kenifor/suricata/tree/fix-redis-stream-format-alloc

Pull request:
TBD

JF Updated by Juliana Fajardini Reichow 1 day ago Actions
Copy link
 #1

  • Status changed from New to Assigned
  • Assignee set to Denis Balashov
  • Target version changed from TBD to 9.0.0-beta1

Hi, could you please submit a PR with your patch, so it's easier for us to review and test?

Thanks for creating this bug ticket, I've assigned the ticket to you.

Actions
Copy link

Also available in: PDF Atom