Changeset 286 for trunk/lib/regfi.c


Ignore:
Timestamp:
08/23/15 00:09:08 (9 years ago)
Author:
tim
Message:

Fixed a NULL pointer dereference and one dangling pointer, triggered by corrupt security descriptors.
Thanks AFL!

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/lib/regfi.c

    r274 r286  
    973973 ******************************************************************************/
    974974REGFI_SK* regfi_parse_sk(REGFI_FILE* file, uint32_t offset, uint32_t max_size,
    975                              bool strict)
     975                         bool strict)
    976976{
    977977  REGFI_SK* ret_val = NULL;
     
    10151015  {
    10161016    regfi_log_add(REGFI_LOG_WARN, "Invalid cell size found while"
    1017                       " parsing SK record at offset 0x%.8X.", offset);
     1017                  " parsing SK record at offset 0x%.8X.", offset);
    10181018    goto fail_locked;
    10191019  }
     
    10631063
    10641064  if(!(ret_val->sec_desc = winsec_parse_desc(ret_val, sec_desc_buf,
    1065                                                    ret_val->desc_size)))
     1065                                             ret_val->desc_size)))
    10661066  {
    10671067    regfi_log_add(REGFI_LOG_ERROR, "Failed to parse security"
    1068                       " descriptor while parsing SK record at offset 0x%.8X.",
    1069                       offset);
     1068                  " descriptor while parsing SK record at offset 0x%.8X.",
     1069                  offset);
    10701070    goto fail;
    10711071  }
     
    14391439  REGFI_SK* ret_val = NULL;
    14401440  int32_t max_size;
    1441   void* failure_ptr = NULL;
     1441  uint32_t* failure_ptr = NULL;
    14421442 
    14431443  max_size = regfi_calc_maxsize(file, offset);
     
    14471447  if(file->sk_cache == NULL)
    14481448    return regfi_parse_sk(file, offset, max_size, strict);
    1449 
    14501449  if(!regfi_lock(file, &file->mem_lock, "regfi_load_sk"))
    14511450    return NULL;
     
    14561455
    14571456  /* Bail out if we have previously cached a parse failure at this offset. */
    1458   if(ret_val == (void*)REGFI_OFFSET_NONE)
     1457  if(ret_val && *(uint32_t*)ret_val == REGFI_OFFSET_NONE)
    14591458  {
    14601459    ret_val = NULL;
     
    14711470        goto unlock;
    14721471
    1473       *(uint32_t*)failure_ptr = REGFI_OFFSET_NONE;
     1472      *failure_ptr = REGFI_OFFSET_NONE;
    14741473      lru_cache_update(file->sk_cache, &offset, 4, failure_ptr);
    14751474
     
    14771476      talloc_unlink(NULL, failure_ptr);
    14781477    }
     1478    else
     1479      lru_cache_update(file->sk_cache, &offset, 4, ret_val);     
    14791480  }
    14801481  else
     
    20542055    return NULL;
    20552056
     2057  /*lru_cache_print(file->sk_cache);*/
    20562058  return regfi_load_sk(file, key->sk_off + REGFI_REGF_SIZE, true);
    20572059}
Note: See TracChangeset for help on using the changeset viewer.