Bug 1180487

Summary: libhtp: NULL pointer dereference in htp_connp_close()
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bochecha, mbridon, vkaigoro
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libhtp 0.5.16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-09 16:49:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1173605, 1180488, 1180489    
Bug Blocks:    

Description Vasyl Kaigorodov 2015-01-09 09:59:09 UTC 
It was reported [1] that certain requests can cause a NULL pointer dereference in libhtp, leading to denial of service of Suricata.

The chain of events is following:

- failure in zlib setup (Z_STREAM_ERROR) leads to tx->connp->out_decompressor == NULL and htp_connp_res_data returning HTP_STREAM_ERROR
- Suricata then still sometimes calls htp_connp_close()
- htp_connp_close() resets status' and unconditionally derefs tx->connp->out_decompressor
- as this is NULL, we get a segv

The calling of htp_connp_close may be erroneous if the htp state is in error.

Upstream commit that resolves this:
https://github.com/OISF/libhtp/pull/82/files

[1]: https://redmine.openinfosecfoundation.org/issues/1272
Comment 1 Vasyl Kaigorodov 2015-01-09 09:59:30 UTC 
Created libhtp tracking bugs for this issue:

Affects: fedora-all [bug 1180488]
Affects: epel-all [bug 1180489]
Comment 2 Mathieu Bridon 2015-01-09 10:11:19 UTC 
Isn't that a duplicate of 1173605 ?
Comment 3 Vasyl Kaigorodov 2015-01-09 16:49:12 UTC 
(In reply to Mathieu Bridon from comment #2)
> Isn't that a duplicate of 1173605 ?

Ooops, you're right.
Closing this one.

*** This bug has been marked as a duplicate of bug 1173605 ***