Changeset 286


Ignore:
Timestamp:
08/23/15 00:09:08 (9 years ago)
Author:
tim
Message:

Fixed a NULL pointer dereference and one dangling pointer, triggered by corrupt security descriptors.
Thanks AFL!

Location:
trunk/lib
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/lib/lru_cache.c

    r252 r286  
    6161
    6262#if 0
    63 static void lru_cache_print(lru_cache* ht)
     63_EXPORT()
     64void lru_cache_print(lru_cache* ht)
    6465{
    6566  uint32_t i;
  • trunk/lib/regfi.c

    r274 r286  
    973973 ******************************************************************************/
    974974REGFI_SK* regfi_parse_sk(REGFI_FILE* file, uint32_t offset, uint32_t max_size,
    975                              bool strict)
     975                         bool strict)
    976976{
    977977  REGFI_SK* ret_val = NULL;
     
    10151015  {
    10161016    regfi_log_add(REGFI_LOG_WARN, "Invalid cell size found while"
    1017                       " parsing SK record at offset 0x%.8X.", offset);
     1017                  " parsing SK record at offset 0x%.8X.", offset);
    10181018    goto fail_locked;
    10191019  }
     
    10631063
    10641064  if(!(ret_val->sec_desc = winsec_parse_desc(ret_val, sec_desc_buf,
    1065                                                    ret_val->desc_size)))
     1065                                             ret_val->desc_size)))
    10661066  {
    10671067    regfi_log_add(REGFI_LOG_ERROR, "Failed to parse security"
    1068                       " descriptor while parsing SK record at offset 0x%.8X.",
    1069                       offset);
     1068                  " descriptor while parsing SK record at offset 0x%.8X.",
     1069                  offset);
    10701070    goto fail;
    10711071  }
     
    14391439  REGFI_SK* ret_val = NULL;
    14401440  int32_t max_size;
    1441   void* failure_ptr = NULL;
     1441  uint32_t* failure_ptr = NULL;
    14421442 
    14431443  max_size = regfi_calc_maxsize(file, offset);
     
    14471447  if(file->sk_cache == NULL)
    14481448    return regfi_parse_sk(file, offset, max_size, strict);
    1449 
    14501449  if(!regfi_lock(file, &file->mem_lock, "regfi_load_sk"))
    14511450    return NULL;
     
    14561455
    14571456  /* Bail out if we have previously cached a parse failure at this offset. */
    1458   if(ret_val == (void*)REGFI_OFFSET_NONE)
     1457  if(ret_val && *(uint32_t*)ret_val == REGFI_OFFSET_NONE)
    14591458  {
    14601459    ret_val = NULL;
     
    14711470        goto unlock;
    14721471
    1473       *(uint32_t*)failure_ptr = REGFI_OFFSET_NONE;
     1472      *failure_ptr = REGFI_OFFSET_NONE;
    14741473      lru_cache_update(file->sk_cache, &offset, 4, failure_ptr);
    14751474
     
    14771476      talloc_unlink(NULL, failure_ptr);
    14781477    }
     1478    else
     1479      lru_cache_update(file->sk_cache, &offset, 4, ret_val);     
    14791480  }
    14801481  else
     
    20542055    return NULL;
    20552056
     2057  /*lru_cache_print(file->sk_cache);*/
    20562058  return regfi_load_sk(file, key->sk_off + REGFI_REGF_SIZE, true);
    20572059}
  • trunk/lib/winsec.c

    r261 r286  
    413413  uint32_t i, size = WINSEC_MAX_SUBAUTHS*11 + 24;
    414414  uint32_t left = size;
    415   uint8_t comps = sid->num_auths;
    416   char* ret_val = malloc(size);
    417  
     415  uint8_t comps;
     416  char* ret_val;
     417
     418  if(sid == NULL)
     419    return NULL;
     420  comps = sid->num_auths;
     421
     422  ret_val = malloc(size);
    418423  if(ret_val == NULL)
    419424    return NULL;
Note: See TracChangeset for help on using the changeset viewer.