Project

General

Profile

Actions
Copy link

Bug #8647

closed
UK UK

SMTP/email JSON logger frees caller-owned SCJsonBuilder on NULL state path

Bug #8647: SMTP/email JSON logger frees caller-owned SCJsonBuilder on NULL state path

Added by Urval Kheni 4 days ago. Updated 3 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Urval Kheni
Target version:
9.0.0-beta1
Affected Versions:
git main
Effort:
Difficulty:
Label:
C

Description

While reviewing the SMTP Eve JSON logging code, I noticed an ownership issue in EveEmailLogJsonData() in src/output-json-email-common.c.

When smtp_state NULL, the function frees the provided SCJsonBuilder and returns failure:


However, the builder is owned by the caller. For example, EveEmailLogJson() continues to operate on the same builder after the call:


This makes ownership handling inconsistent: the callee frees a caller-owned object while the caller assumes it remains valid for subsequent cleanup.

Suggested fix:

Do not free sjs in EveEmailLogJsonData().
Simply return failure when smtp_state NULL.
Optionally add defensive NULL checks in EveSmtpDataLogger() for state and vtx.
I have not verified whether the NULL-state path is reachable during normal runtime, so I am reporting this as a correctness / hardening issue rather than a confirmed security issue.

Files

Download all files
clipboard-202606101850-kmnlc.png (11.9 KB) clipboard-202606101850-kmnlc.png Urval Kheni, 06/10/2026 01:20 PM
clipboard-202606101851-px1m0.png (14.8 KB) clipboard-202606101851-px1m0.png Urval Kheni, 06/10/2026 01:21 PM
Actions
Copy link

Also available in: PDF Atom