From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Thu, 16 Dec 2021 14:32:52 +0000 (-0500)
Subject: rust/dns: Ensure JSON object doesn't get leaked
X-Git-Tag: suricata-5.0.9~117
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4902cbf5a307f745bbc9c06a5968be47a7c359b5;p=thirdparty%2Fsuricata.git

rust/dns: Ensure JSON object doesn't get leaked

Ensure js_answers isn't leaked when detailed logging is not in use. This
commit changes how js_answers allocation is performed. Previously, it
was allocated regardless of whether detailed logging was enabled. Now,
it's only allocated if detailed logging is enabled.

Ticket: #4901
---

diff --git a/rust/src/dns/log.rs b/rust/src/dns/log.rs
index cd8ef9758c..8225508fce 100644
--- a/rust/src/dns/log.rs
+++ b/rust/src/dns/log.rs
@@ -478,7 +478,7 @@ fn dns_log_json_answer(response: &DNSResponse, flags: u64) -> Json
     js.set_string("rcode", &dns_rcode_string(header.flags));
 
     if response.answers.len() > 0 {
-        let js_answers = Json::array();
+        let js_answers = if flags & LOG_FORMAT_DETAILED != 0 { Some(Json::array()) } else { None };
 
         // For grouped answers we use a HashMap keyed by the rrtype.
         let mut answer_types = HashMap::new();
@@ -526,12 +526,13 @@ fn dns_log_json_answer(response: &DNSResponse, flags: u64) -> Json
                 }
             }
 
-            if flags & LOG_FORMAT_DETAILED != 0 {
+            if let Some(js_answers) = &js_answers {
                 js_answers.array_append(dns_log_json_answer_detail(answer));
             }
         }
 
-        if flags & LOG_FORMAT_DETAILED != 0 {
+
+        if let Some(js_answers) = js_answers {
             js.set("answers", js_answers);
         }