Bug #8647
closedSMTP/email JSON logger frees caller-owned SCJsonBuilder on NULL state path
Description
While reviewing the SMTP Eve JSON logging code, I noticed an ownership issue in EveEmailLogJsonData() in src/output-json-email-common.c.
When smtp_state NULL, the function frees the provided SCJsonBuilder and returns failure:
However, the builder is owned by the caller. For example, EveEmailLogJson() continues to operate on the same builder after the call:
This makes ownership handling inconsistent: the callee frees a caller-owned object while the caller assumes it remains valid for subsequent cleanup.
Suggested fix:
Do not free sjs in EveEmailLogJsonData().
Simply return failure when smtp_state NULL.
Optionally add defensive NULL checks in EveSmtpDataLogger() for state and vtx.
I have not verified whether the NULL-state path is reachable during normal runtime, so I am reporting this as a correctness / hardening issue rather than a confirmed security issue.
Files
SS Updated by Samaresh Kumar singh 3 days ago
- Assignee set to Samaresh Kumar singh
JI Updated by Jason Ish 3 days ago
- Status changed from New to In Review
- Assignee changed from Samaresh Kumar singh to Urval Kheni
There is already a PR in review: https://github.com/OISF/suricata/pull/15599
SS Updated by Samaresh Kumar singh 3 days ago
- Status changed from In Review to New
- Assignee changed from Urval Kheni to Jason Ish
Here is PR for this issue: https://github.com/OISF/suricata/pull/15599
VJ Updated by Victor Julien 3 days ago
- Status changed from New to In Review
- Assignee changed from Jason Ish to Urval Kheni
- Target version changed from TBD to 9.0.0-beta1
@Samaresh Kumar singh please leave the ticket if it was assigned to others.
UK Updated by Urval Kheni 3 days ago
- Status changed from In Review to Closed