Changeset 286

Timestamp:

08/23/15 00:09:08 (9 years ago)

Author:

tim

Message:

Fixed a NULL pointer dereference and one dangling pointer, triggered by corrupt security descriptors.
Thanks AFL!

Location:

trunk/lib

Files:

• lru_cache.c (modified) (1 diff)
• regfi.c (modified) (9 diffs)
• winsec.c (modified) (1 diff)

trunk/lib/lru_cache.c

@@ -61 +61 @@
 
 #if 0
-static void lru_cache_print(lru_cache* ht)
+_EXPORT()
+void lru_cache_print(lru_cache* ht)
 {
   uint32_t i;

trunk/lib/regfi.c

@@ -973 +973 @@
  ******************************************************************************/
 REGFI_SK* regfi_parse_sk(REGFI_FILE* file, uint32_t offset, uint32_t max_size, 
-                             bool strict)
+                         bool strict)
 {
   REGFI_SK* ret_val = NULL;
@@ -1015 +1015 @@
   {
     regfi_log_add(REGFI_LOG_WARN, "Invalid cell size found while"
-                      " parsing SK record at offset 0x%.8X.", offset);
+                  " parsing SK record at offset 0x%.8X.", offset);
     goto fail_locked;
   }
@@ -1063 +1063 @@
 
   if(!(ret_val->sec_desc = winsec_parse_desc(ret_val, sec_desc_buf, 
-                                                   ret_val->desc_size)))
+                                             ret_val->desc_size)))
   {
     regfi_log_add(REGFI_LOG_ERROR, "Failed to parse security"
-                      " descriptor while parsing SK record at offset 0x%.8X.",
-                      offset);
+                  " descriptor while parsing SK record at offset 0x%.8X.",
+                  offset);
     goto fail;
   }
@@ -1439 +1439 @@
   REGFI_SK* ret_val = NULL;
   int32_t max_size;
-  void* failure_ptr = NULL;
+  uint32_t* failure_ptr = NULL;
   
   max_size = regfi_calc_maxsize(file, offset);
@@ -1447 +1447 @@
   if(file->sk_cache == NULL)
     return regfi_parse_sk(file, offset, max_size, strict);
-
   if(!regfi_lock(file, &file->mem_lock, "regfi_load_sk"))
     return NULL;
@@ -1456 +1455 @@
 
   /* Bail out if we have previously cached a parse failure at this offset. */
-  if(ret_val == (void*)REGFI_OFFSET_NONE)
+  if(ret_val && *(uint32_t*)ret_val == REGFI_OFFSET_NONE)
   {
     ret_val = NULL;
@@ -1471 +1470 @@
         goto unlock;
 
-      *(uint32_t*)failure_ptr = REGFI_OFFSET_NONE;
+      *failure_ptr = REGFI_OFFSET_NONE;
       lru_cache_update(file->sk_cache, &offset, 4, failure_ptr);
 
@@ -1477 +1476 @@
       talloc_unlink(NULL, failure_ptr);
     }
+    else
+      lru_cache_update(file->sk_cache, &offset, 4, ret_val);      
   }
   else
@@ -2054 +2055 @@
     return NULL;
 
+  /*lru_cache_print(file->sk_cache);*/
   return regfi_load_sk(file, key->sk_off + REGFI_REGF_SIZE, true);
 }

trunk/lib/winsec.c

@@ -413 +413 @@
   uint32_t i, size = WINSEC_MAX_SUBAUTHS*11 + 24;
   uint32_t left = size;
-  uint8_t comps = sid->num_auths;
-  char* ret_val = malloc(size);
-  
+  uint8_t comps;
+  char* ret_val;
+
+  if(sid == NULL)
+    return NULL;
+  comps = sid->num_auths;
+
+  ret_val = malloc(size);
   if(ret_val == NULL)
     return NULL;