Wireshark-bugs: [Wireshark-bugs] [Bug 11052] New: Lack of sanity checking for malloc() in idl2wr
Date: Wed, 11 Mar 2015 21:48:54 +0000
| Bug ID | 11052 |
|---|---|
| Summary | Lack of sanity checking for malloc() in idl2wrs.c |
| Product | Wireshark |
| Version | 1.12.4 |
| Hardware | x86 |
| OS | All |
| Status | UNCONFIRMED |
| Severity | Major |
| Priority | Low |
| Component | Dissection engine (libwireshark) |
| Assignee | [email protected] |
| Reporter | [email protected] |
Created attachment 13504 [details]
Patch file 'diff -u' format for bug report
Build Information:
N/A
--
In reviewing file 'idl2wrs.c' in directory
'wireshark-1.12.4/epan/dissectors/dcerpc, I found numerous instances where
calls to malloc() were made, but no corresponding check for NULL was done
afterwards (indicating failure). The following code below in 'diff -u' format
fixes this issue:
--- idl2wrs.c.orig 2015-03-11 14:20:27.315300475 -0700
+++ idl2wrs.c 2015-03-11 14:40:09.532554209 -0700
@@ -206,6 +206,10 @@
{
dissector_param_value_t *dpv;
dpv=(dissector_param_value_t*)malloc(sizeof(dissector_param_value_t));
+ if (dpv == NULL) { /* oops, malloc() failed */
+ fprintf(stderr, "ERROR: out of memory in
register_dissector_param_value()\n");
+ Exit(10);
+ }
dpv->next=dissector_param_list;
dissector_param_list=dpv;
dpv->name=strdup(name);
@@ -237,6 +241,10 @@
if(!pi)pi=ptrs;
while(num_pointers--){
pi=(pointer_item_t*)malloc(sizeof(pointer_item_t));
+ if (pi == NULL) { /* oops, malloc() failed */
+ fprintf(stderr, "ERROR: out of memory in
prepend_pointer_list()\n");
+ Exit(10);
+ }
pi->next=ptrs;
pi->type=pointer_default;
ptrs=pi;
@@ -282,6 +290,10 @@
{
hf_rename_item_t *new_item;
new_item=(hf_rename_item_t*)malloc(sizeof(hf_rename_item_t));
+ if (new_item == NULL) { /* oops, malloc() failed */
+ fprintf(stderr, "ERROR: out of memory in register_hf_rename()\n");
+ Exit(10);
+ }
new_item->next=hf_rename_list;
hf_rename_list=new_item;
new_item->refcount=0;
@@ -350,6 +362,10 @@
}
hfi=(hf_field_item_t*)malloc(sizeof(hf_field_item_t));
+ if (hfi == NULL) { /* oops, malloc() failed */
+ fprintf(stderr, "ERROR: out of memory in register_hf_field()\n");
+ Exit(10);
+ }
hfi->next=hf_field_list;
hf_field_list=hfi;
hfi->name=strdup(hf_name);
@@ -455,6 +471,10 @@
ti=ti->next;
br=(bracket_item_t*)malloc(sizeof(bracket_item_t));
+ if (br == NULL) { /* oops, malloc() failed */
+ fprintf(stderr, "ERROR: out of memory in parsebrackets()\n");
+ Exit(10);
+ }
*bracket=br;
br->flags=0;
br->case_name=NULL;
@@ -722,6 +742,10 @@
br->flags|=BI_POINTER;
newpi=(pointer_item_t*)malloc(sizeof(pointer_item_t));
+ if (newpi == NULL) /* oops, malloc() failed */
+ fprintf(stderr, "ERROR: out of memory in
parsebrackets()\n");
+ Exit(10);
+ }
newpi->next=NULL;
newpi->type=ti->str;
newpi->next=br->pointer_list;
@@ -746,6 +770,10 @@
FPRINTF(NULL,"XXX new type:%s dissector:%s Type:%s Base:%s Mask:%s Vals:%s
alignment:%d\n", name, dissectorname, ft_type, base_type, mask, valsstring,
alignment);
new_type=(type_item_t*)malloc(sizeof(type_item_t));
+ if (new_type == NULL) /* oops, malloc() failed */
+ fprintf(stderr, "ERROR: out of memory in register_new_type()\n");
+ Exit(10);
+ }
new_type->next=type_list;
new_type->name=strdup(name);
new_type->dissector=strdup(dissectorname);
@@ -905,6 +933,10 @@
{
token_item_t *new_token_item;
new_token_item=(token_item_t*)malloc(sizeof(token_item_t));
+ if (new_token_item == NULL) /* oops, malloc() failed */
+ fprintf(stderr, "ERROR: out of memory in pushtoken()\n");
+ Exit(10);
+ }
new_token_item->next=NULL;
new_token_item->str=token;
if(!token_list){
@@ -2829,6 +2861,10 @@
* 4, CONST}
*/
el=(enum_list_t*)malloc(sizeof(enum_list_t));
+ if (el == NULL) { /* oops, malloc() failed */
+ fprintf(stderr, "ERROR: out of memory in
parsetypedefenum()\n");
+ Exit(10);
+ }
el->next=NULL;
if(!enum_list){
enum_list=el;
@@ -2952,6 +2988,10 @@
{
trimmed_prefixes_t *new_prefix;
new_prefix=(trimmed_prefixes_t*)malloc(sizeof(trimmed_prefixes_t));
+ if (new_prefix == NULL) { /* oops, malloc() failed */
+ fprintf(stderr, "ERROR: out of memory in praparerimprefix()\n");
+ Exit(10);
+ }
new_prefix->next=prefixes_to_trim;
prefixes_to_trim=new_prefix;
new_prefix->name=strdup(prefix_name);
@@ -3074,6 +3114,10 @@
str=cnfline+6;
str=str_read_string(str, &name);
nei=(no_emit_item_t*)malloc(sizeof(no_emit_item_t));
+ if (nei == NULL) { /* oops, malloc() failed */
+ fprintf(stderr, "ERROR: out of memory in
trimprefix()\n");
+ Exit(10);
+ }
nei->next=no_emit_list;
no_emit_list=nei;
nei->name=name;
@@ -3143,6 +3187,10 @@
union_tag_size=atoi(union_tag);
FPRINTF(NULL, "UNION_TAG_SIZE: %s == %d\n", union_name,
union_tag_size);
utsi=(union_tag_size_item_t*)malloc(sizeof(union_tag_size_item_t));
+ if (utsi == NULL) { /* oops, malloc() failed */
+ fprintf(stderr, "ERROR: out of memory in
trimprefix()\n");
+ Exit(10);
+ }
utsi->next=union_tag_size_list;
union_tag_size_list=utsi;
utsi->name=strdup(union_name);
I am attaching the patch file to this bug report...
Bill Parker (wp02855 at gmail dot com)
You are receiving this mail because:
- You are watching all bug changes.
- Follow-Ups:
- [Wireshark-bugs] [Bug 11052] Lack of sanity checking for malloc() in idl2wrs.c
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11052] Lack of sanity checking for malloc() in idl2wrs.c
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11052] Lack of sanity checking for malloc() in idl2wrs.c
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11052] Lack of sanity checking for malloc() in idl2wrs.c
- Prev by Date: [Wireshark-bugs] [Bug 11035] High CPU on Wireshark 1.99.3 running on OS X 10.10.2
- Next by Date: [Wireshark-bugs] [Bug 11052] Lack of sanity checking for malloc() in idl2wrs.c
- Previous by thread: [Wireshark-bugs] [Bug 10296] Encoded WPA-PSK key exceeds 64 byte limit blocking use
- Next by thread: [Wireshark-bugs] [Bug 11052] Lack of sanity checking for malloc() in idl2wrs.c
- Index(es):