From 6c763e23dbf0a08313f5f8333426b781c9bd5653 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Mon, 30 Mar 2020 07:57:36 -0400 Subject: [PATCH] detect/tls: Use pcre_copy_substring to avoid leak This commit eliminates a memory leak while parsing TLS version information. The leak was identified through fuzzing. (cherry picked from commit 2823bc5aed3ade2f916a9592c0ecf214bb62481b) --- src/detect-tls-version.c | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/src/detect-tls-version.c b/src/detect-tls-version.c index dfd2a517a1..c2a4980c6e 100644 --- a/src/detect-tls-version.c +++ b/src/detect-tls-version.c @@ -164,12 +164,11 @@ static DetectTlsVersionData *DetectTlsVersionParse (const char *str) } if (ret > 1) { - const char *str_ptr; - char *orig; + char ver_ptr[64]; char *tmp_str; - res = pcre_get_substring((char *)str, ov, MAX_SUBSTRINGS, 1, &str_ptr); + res = pcre_copy_substring((char *)str, ov, MAX_SUBSTRINGS, 1, ver_ptr, sizeof(ver_ptr)); if (res < 0) { - SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed"); + SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed"); goto error; } @@ -178,11 +177,7 @@ static DetectTlsVersionData *DetectTlsVersionParse (const char *str) if (unlikely(tls == NULL)) goto error; - orig = SCStrdup((char*)str_ptr); - if (unlikely(orig == NULL)) { - goto error; - } - tmp_str=orig; + tmp_str = ver_ptr; /* Let's see if we need to scape "'s */ if (tmp_str[0] == '"') @@ -204,14 +199,11 @@ static DetectTlsVersionData *DetectTlsVersionParse (const char *str) tls->flags |= DETECT_TLS_VERSION_FLAG_RAW; } else { SCLogError(SC_ERR_INVALID_VALUE, "Invalid value"); - SCFree(orig); goto error; } tls->ver = temp; - SCFree(orig); - SCLogDebug("will look for tls %"PRIu16"", tls->ver); } -- 2.47.2