Wireshark-bugs: [Wireshark-bugs] [Bug 11608] New: Potential Memory Leaks and Potential NULL poin
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Sat, 17 Oct 2015 20:26:47 +0000
Bug ID 11608
Summary Potential Memory Leaks and Potential NULL pointer dereference in Wireshark 2.0.0 (RC)
Product Wireshark
Version unspecified
Hardware All
OS All
Status UNCONFIRMED
Severity Major
Priority Low
Component Extras
Assignee bugzilla-admin@wireshark.org
Reporter wp02855@gmail.com 

Created attachment 13923 [details]
Patch file for Bug Report (androiddump.c)

Build Information:
Fedora 22 Server (AMD64), VirtualBox 4.3.3x
--
Hello All,

    In reviewing source code in Wireshark-2.0.0 (RC), in sub-directory
'extcap', file 'androiddump.c', there are numerous instances where
calls to malloc() are made, but no check for a return value of NULL
(indicating failure) is made.  Additionally, there are calls to strcat()
after some of the malloc() calls, and if the destination address is
pointing to NULL, the program will abort with a segmentation violation/
fault (CWE-426) 

Also, there appears to be no release of allocated memory for
variables 'interface_name', i_interface_list', and 'i_interface_list->next'
in this file.

The patch file below should address/correct these issues:

--- androiddump.c.orig  2015-10-17 08:47:16.290858832 -0700
+++ androiddump.c       2015-10-17 09:15:10.218606441 -0700
@@ -621,15 +621,29 @@
         /* If tcpdump is found in the android device, add Android Wifi Tcpdump
as an interface  */
         if (strstr(response,"tcpdump version")) {
             interface_name = (char *)
malloc(strlen(INTERFACE_ANDROID_WIFI_TCPDUMP) + 1 + strlen(serial_number) + 1);
+           if (interface_name == NULL) {
+               g_fprintf(stderr, "ERROR: Error while allocating memory for
interface_name\n");
+               return 1;
+           }
             interface_name[0]= '\0';
             strcat(interface_name, INTERFACE_ANDROID_WIFI_TCPDUMP);
             strcat(interface_name, "-");
             strcat(interface_name, serial_number);
             if (*interface_list == NULL) {
                 i_interface_list = (struct interface_t *) malloc(sizeof(struct
interface_t));
+               if (i_interface_list == NULL) {
+                   g_fprintf(stderr, "ERROR: Error while allocating memory for
i_interface_list\n");
+                   free(interface_name);
+                   return 1;
+               }
                 *interface_list = i_interface_list;
             } else {
                 i_interface_list->next = (struct interface_t *)
malloc(sizeof(struct interface_t));
+               if (i_interface_list->next == NULL) {
+                   g_fprintf(stderr, "ERROR: Error while allocating memory for
i_interface_list->next\n");
+                   free(interface_name);
+                   return 1;
+               }
                 i_interface_list = i_interface_list->next;
             }
             i_interface_list->display_name = "Android WiFi";
@@ -656,15 +670,29 @@

         if (api_level < 21) {
             interface_name = (char *)
malloc(strlen(INTERFACE_ANDROID_LOGCAT_MAIN) + 1 + strlen(serial_number) + 1);
+           if (interface_name == NULL) {
+               g_fprintf(stderr, "ERROR: Error while allocating memory for
interface_name\n");
+               return 1;
+           }
             interface_name[0]= '\0';
             strcat(interface_name, INTERFACE_ANDROID_LOGCAT_MAIN);
             strcat(interface_name, "-");
             strcat(interface_name, serial_number);
             if (*interface_list == NULL) {
                 i_interface_list = (struct interface_t *) malloc(sizeof(struct
interface_t));
+               if (i_interface_list == NULL) {
+                   g_fprintf(stderr, "ERROR: Error while allocating memory for
i_interface_list\n");
+                   free(interface_name);
+                   return 1;
+               }
                 *interface_list = i_interface_list;
             } else {
                 i_interface_list->next = (struct interface_t *)
malloc(sizeof(struct interface_t));
+               if (i_interface_list->next == NULL) {
+                   g_fprintf(stderr, "ERROR: Error while allocating memory for
i_interface_list->next\n");
+                   free(interface_name);
+                   return 1;
+               }
                 i_interface_list = i_interface_list->next;
             }
             i_interface_list->display_name = "Android Logcat Main";
@@ -673,48 +701,98 @@


             interface_name = (char *)
malloc(strlen(INTERFACE_ANDROID_LOGCAT_SYSTEM) + 1 + strlen(serial_number) +
1);
+           if (interface_name == NULL) {
+               g_fprintf(stderr, "ERROR: Error while allocating memory for
interface_name\n");
+               free(i_interface_list->next);
+               free(i_interface_list);
+               return 1;
+           }
             interface_name[0]= '\0';
             strcat(interface_name, INTERFACE_ANDROID_LOGCAT_SYSTEM);
             strcat(interface_name, "-");
             strcat(interface_name, serial_number);
             i_interface_list->next = (struct interface_t *)
malloc(sizeof(struct interface_t));
+           if (i_interface_list->next == NULL) {
+               g_fprintf(stderr, "ERROR: Error while allocating memory for
i_interface_list->next\n");
+               free(i_interface_list);
+               free(interface_name);
+               return 1;
+           }
             i_interface_list = i_interface_list->next;
             i_interface_list->display_name = "Android Logcat System";
             i_interface_list->interface_name = interface_name;
             i_interface_list->next = NULL;

             interface_name = (char *)
malloc(strlen(INTERFACE_ANDROID_LOGCAT_RADIO) + 1 + strlen(serial_number) + 1);
+           if (interface_name == NULL) {
+               g_fprintf(stderr, "ERROR: Error while allocating memory for
interface_name\n");
+               free(i_interface_list->next);
+               free(i_interface_list);
+               return 1;
+           }
             interface_name[0]= '\0';
             strcat(interface_name, INTERFACE_ANDROID_LOGCAT_RADIO);
             strcat(interface_name, "-");
             strcat(interface_name, serial_number);
             i_interface_list->next = (struct interface_t *)
malloc(sizeof(struct interface_t));
+           if (i_interface_list->next == NULL) {
+               g_fprintf(stderr, "ERROR: Error while allocating memory for
i_interface_list->next\n");
+               free(i_interface_list);
+               free(interface_name);
+               return 1;
+           }
             i_interface_list = i_interface_list->next;
             i_interface_list->display_name = "Android Logcat Radio";
             i_interface_list->interface_name = interface_name;
             i_interface_list->next = NULL;

             interface_name = (char *)
malloc(strlen(INTERFACE_ANDROID_LOGCAT_EVENTS) + 1 + strlen(serial_number) +
1);
+           if (interface_name == NULL) {
+               g_fprintf(stderr, "ERROR: Error while allocating memory for
interface_name\n");
+               free(i_interface_list->next);
+               free(i_interface_list);
+               return 1;
+           }
             interface_name[0]= '\0';
             strcat(interface_name, INTERFACE_ANDROID_LOGCAT_EVENTS);
             strcat(interface_name, "-");
             strcat(interface_name, serial_number);
             i_interface_list->next = (struct interface_t *)
malloc(sizeof(struct interface_t));
+           if (i_interface_list->next == NULL) {
+               g_fprintf(stderr, "ERROR: Error while allocating memory for
i_interface_list->next\n");
+               free(i_interface_list);
+               free(interface_name);
+               return 1;
+           }
             i_interface_list = i_interface_list->next;
             i_interface_list->display_name = "Android Logcat Events";
             i_interface_list->interface_name = interface_name;
             i_interface_list->next = NULL;
         } else {
             interface_name = (char *)
malloc(strlen(INTERFACE_ANDROID_LOGCAT_TEXT_MAIN) + 1 + strlen(serial_number) +
1);
+           if (interface_name == NULL) {
+               g_fprintf(stderr, "ERROR: Error while allocating memory for
interface_name\n");
+               return 1;
+           }
             interface_name[0]= '\0';
             strcat(interface_name, INTERFACE_ANDROID_LOGCAT_TEXT_MAIN);
             strcat(interface_name, "-");
             strcat(interface_name, serial_number);
             if (*interface_list == NULL) {
                 i_interface_list = (struct interface_t *) malloc(sizeof(struct
interface_t));
+               if (i_interface_list == NULL) {
+                   free(interface_name);
+                   return 1;
+               }
                 *interface_list = i_interface_list;
             } else {
                 i_interface_list->next = (struct interface_t *)
malloc(sizeof(struct interface_t));
+               if (i_interface_list->next == NULL) {
+                   g_fprintf(stderr, "ERROR: Error while allocating memory for
i_interface_list->next\n");
+                   free(i_interface_list);
+                   free(interface_name);
+                   return 1;
+               }
                 i_interface_list = i_interface_list->next;
             }
             i_interface_list->display_name = "Android Logcat Main";
@@ -723,44 +801,92 @@


             interface_name = (char *)
malloc(strlen(INTERFACE_ANDROID_LOGCAT_TEXT_SYSTEM) + 1 + strlen(serial_number)
+ 1);
+           if (interface_name == NULL) {
+               g_fprintf(stderr, "ERROR: Error while allocating memory for
interface_name\n");
+               free(i_interface_list->next);
+               free(i_interface_list);
+               return 1;
+           }
             interface_name[0]= '\0';
             strcat(interface_name, INTERFACE_ANDROID_LOGCAT_TEXT_SYSTEM);
             strcat(interface_name, "-");
             strcat(interface_name, serial_number);
             i_interface_list->next = (struct interface_t *)
malloc(sizeof(struct interface_t));
+           if (i_interface_list->next == NULL) {
+               g_fprintf(stderr, "ERROR: Error while allocating memory for
i_interface_list->next\n");
+               free(i_interface_list);
+               free(interface_name);
+               return 1;
+           }
             i_interface_list = i_interface_list->next;
             i_interface_list->display_name = "Android Logcat System";
             i_interface_list->interface_name = interface_name;
             i_interface_list->next = NULL;

             interface_name = (char *)
malloc(strlen(INTERFACE_ANDROID_LOGCAT_TEXT_RADIO) + 1 + strlen(serial_number)
+ 1);
+           if (interface_name == NULL) {
+               g_fprintf(stderr, "ERROR: Error while allocating memory for
interface_name\n");
+               free(i_interface_list->next);
+               free(i_interface);
+               return 1;
+           }
             interface_name[0]= '\0';
             strcat(interface_name, INTERFACE_ANDROID_LOGCAT_TEXT_RADIO);
             strcat(interface_name, "-");
             strcat(interface_name, serial_number);
             i_interface_list->next = (struct interface_t *)
malloc(sizeof(struct interface_t));
+           if (i_interface_list->next == NULL) {
+               g_fprintf(stderr, "ERROR: Error while allocating memory for
i_interface_list->next\n");
+               free(i_interface_list);
+               free(interface_name);
+               return 1;
+           }
             i_interface_list = i_interface_list->next;
             i_interface_list->display_name = "Android Logcat Radio";
             i_interface_list->interface_name = interface_name;
             i_interface_list->next = NULL;

             interface_name = (char *)
malloc(strlen(INTERFACE_ANDROID_LOGCAT_TEXT_EVENTS) + 1 + strlen(serial_number)
+ 1);
+           if (interface_name == NULL) {
+               g_fprintf(stderr, "ERROR: Error while allocating memory for
interface_name\n");
+               free(i_interface_list->next);
+               free(i_interface_list);
+               return 1;
+           }
             interface_name[0]= '\0';
             strcat(interface_name, INTERFACE_ANDROID_LOGCAT_TEXT_EVENTS);
             strcat(interface_name, "-");
             strcat(interface_name, serial_number);
             i_interface_list->next = (struct interface_t *)
malloc(sizeof(struct interface_t));
+           if (i_interface_list->next == NULL) {
+               g_fprintf(stderr, "ERROR: Error while allocating memory for
i_interface_list->next\n");
+               free(i_interface_list);
+               free(interface_name);
+               return 1;
+           }
             i_interface_list = i_interface_list->next;
             i_interface_list->display_name = "Android Logcat Events";
             i_interface_list->interface_name = interface_name;
             i_interface_list->next = NULL;

             interface_name = (char *)
malloc(strlen(INTERFACE_ANDROID_LOGCAT_TEXT_CRASH) + 1 + strlen(serial_number)
+ 1);
+           if (interface_name == NULL) {
+               g_fprintf(stderr, "ERROR: Error while allocating memory for
interface_name\n");
+               free(i_interface_list->next);
+               free(i_interface_list);
+               return 1;
+           }
             interface_name[0]= '\0';
             strcat(interface_name, INTERFACE_ANDROID_LOGCAT_TEXT_CRASH);
             strcat(interface_name, "-");
             strcat(interface_name, serial_number);
             i_interface_list->next = (struct interface_t *)
malloc(sizeof(struct interface_t));
+           if (i_interface_list->next == NULL) {
+               g_fprintf(stderr, "ERROR: Error while allocating memory for
interface_name\n");
+               free(i_interface_list);
+               free(interface_name);
+               return 1;
+           }
             i_interface_list = i_interface_list->next;
             i_interface_list->display_name = "Android Logcat Crash";
             i_interface_list->interface_name = interface_name;
@@ -805,11 +931,21 @@

             if (!disable_interface) {
                 interface_name = (char *)
malloc(strlen(INTERFACE_ANDROID_BLUETOOTH_HCIDUMP) + 1 + strlen(serial_number)
+ 1);
+               if (interface_name == NULL) {
+                   g_fprintf(stderr, "ERROR: Error while allocating memory for
interface_name\n");
+                   return 1;
+               }
                 interface_name[0]= '\0';
                 strcat(interface_name, INTERFACE_ANDROID_BLUETOOTH_HCIDUMP);
                 strcat(interface_name, "-");
                 strcat(interface_name, serial_number);
                 i_interface_list->next = (struct interface_t *)
malloc(sizeof(struct interface_t));
+               if (i_interface_list->next == NULL) {
+                   g_fprintf(stderr, "ERROR: Error while allocating memory for
i_interface_list->next\n");
+                   free(i_interface_list);
+                   free(interface_name);
+                   return 1;
+               }
                 i_interface_list = i_interface_list->next;
                 i_interface_list->display_name = "Android Bluetooth Hcidump";
                 i_interface_list->interface_name = interface_name;
@@ -885,11 +1021,21 @@

             if (!disable_interface) {
                 interface_name = (char *)
malloc(strlen(INTERFACE_ANDROID_BLUETOOTH_EXTERNAL_PARSER) + 1 +
strlen(serial_number) + 1);
+               if (interface_name == NULL) {
+                   g_fprintf(stderr, "ERROR: Error while allocating memory for
interface_name\n");
+                   return 1;
+               }
                 interface_name[0]= '\0';
                 strcat(interface_name,
INTERFACE_ANDROID_BLUETOOTH_EXTERNAL_PARSER);
                 strcat(interface_name, "-");
                 strcat(interface_name, serial_number);
                 i_interface_list->next = (struct interface_t *)
malloc(sizeof(struct interface_t));
+               if (i_interface_list->next == NULL) {
+                   g_fprintf(stderr, "ERROR: Error while allocating memory for
i_interface_list->next\n");
+                   free(i_interface_list);
+                   free(interface_name);
+                   return 1;
+               }
                 i_interface_list = i_interface_list->next;
                 i_interface_list->display_name = "Android Bluetooth External
Parser";
                 i_interface_list->interface_name = interface_name;
@@ -965,11 +1111,21 @@

             if (!disable_interface) {
                 interface_name = (char *)
malloc(strlen(INTERFACE_ANDROID_BLUETOOTH_BTSNOOP_NET) + 1 +
strlen(serial_number) + 1);
+               if (interface_name == NULL) {
+                   g_fprintf(stderr, "ERROR: Error while allocating memory for
interface_name\n");
+                   return 1;
+               }
                 interface_name[0]= '\0';
                 strcat(interface_name,
INTERFACE_ANDROID_BLUETOOTH_BTSNOOP_NET);
                 strcat(interface_name, "-");
                 strcat(interface_name, serial_number);
                 i_interface_list->next = (struct interface_t *)
malloc(sizeof(struct interface_t));
+               if (i_interface_list->next == NULL) {
+                   g_fprintf(stderr, "ERROR: Error while allocating memory for
i_interface_list->next\n");
+                   free(i_interface_list);
+                   free(interface_name);
+                   return 1;
+               }
                 i_interface_list = i_interface_list->next;
                 i_interface_list->display_name = "Android Bluetooth Btsnoop
Net";
                 i_interface_list->interface_name = interface_name;

=======================================================================

I am attaching the patch file to this bug report...

Bill Parker (wp02855 at gmail dot com)

You are receiving this mail because:
  • You are watching all bug changes.