dcerpc: fix error handling for alloc errors

Fix error handling of stub parsers. In case of SCRealloc error the
function would return a non-error code. This could possibly lead to
memory corruption.

Reported-By: The Yahoo pentest team

diff --git a/src/app-layer-dcerpc-udp.c b/src/app-layer-dcerpc-udp.c
index c44bdbb370a31d11532447216c64d4d507fea0d5..9dedeee59e2e4430b9bdaa693ff78938767d2721 100644 (file)
--- a/src/app-layer-dcerpc-udp.c
+++ b/src/app-layer-dcerpc-udp.c
@@ -45,6 +45,8 @@ enum {
        DCERPC_FIELD_MAX,
 };
 
+/** \internal
+ *  \retval stub_len or 0 in case of error */
 static uint32_t FragmentDataParser(Flow *f, void *dcerpcudp_state,
                                    AppLayerParserState *pstate,
                                    uint8_t *input, uint32_t input_len)
@@ -88,7 +90,7 @@ static uint32_t FragmentDataParser(Flow *f, void *dcerpcudp_state,
         SCFree(*stub_data_buffer);
         *stub_data_buffer = NULL;
         SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory");
-        goto end;
+        SCReturnUInt(0);
     }
 
     *stub_data_buffer = ptmp;
@@ -110,7 +112,6 @@ static uint32_t FragmentDataParser(Flow *f, void *dcerpcudp_state,
     }
 #endif
 
-end:
     SCReturnUInt((uint32_t)stub_len);
 }
 

diff --git a/src/app-layer-dcerpc.c b/src/app-layer-dcerpc.c
index 900c3269894cd2e04ab9fdb2be56a22f79b8a348..3a22ff73162e142669fada66bb8c453c6aa6fcc3 100644 (file)
--- a/src/app-layer-dcerpc.c
+++ b/src/app-layer-dcerpc.c
@@ -1189,6 +1189,8 @@ static uint32_t DCERPCParseREQUEST(DCERPC *dcerpc, uint8_t *input, uint32_t inpu
     SCReturnUInt((uint32_t)(p - input));
 }
 
+/** \internal
+ *  \retval stub_len or 0 in case of error */
 static uint32_t StubDataParser(DCERPC *dcerpc, uint8_t *input, uint32_t input_len)
 {
     SCEnter();
@@ -1248,7 +1250,7 @@ static uint32_t StubDataParser(DCERPC *dcerpc, uint8_t *input, uint32_t input_le
         SCFree(*stub_data_buffer);
         *stub_data_buffer = NULL;
         SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory");
-        goto end;
+        SCReturnUInt(0);
     }
     *stub_data_buffer = ptmp;
 
@@ -1272,7 +1274,6 @@ static uint32_t StubDataParser(DCERPC *dcerpc, uint8_t *input, uint32_t input_le
     }
 #endif
 
-end:
     SCReturnUInt((uint32_t)stub_len);
 }