Bug 1329295 (CVE-2016-4912)

Summary: CVE-2016-4912 openslp: null pointer dereference in _xrealloc() function
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: john.calcote, rdieter, security-response-team, vcrhonek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-19 06:53:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1337402, 1337403    
Bug Blocks: 1329300    

Description Andrej Nemec 2016-04-21 14:40:35 UTC 
A null pointer dereference vulnerability was found in function _xrealloc() in xlsp_xmalloc.c in OpenSLP. A remote attacker could potentially crash the server when large number of packets are sent.

Vulnerable code:

void * _xrealloc(const char * file, int line, void * ptr, size_t size)
{
xallocation_t * x;

if (!ptr)
return _xmalloc(file, line, size);

if (!size)
{
_xfree(file, line, ptr);
return 0;
}

x = _xmalloc_find(ptr);
if (x != 0)
{
void * newptr = ptr;
if (x->size != size)
{
newptr = _xmalloc(file, line, size);   //*** return 0 if failed from _xmalloc
memcpy(newptr, ptr, x->size);  //*** it'll cased a null pointer reference
_xfree(file, line, x);
}
return newptr;
}

if (G_xmalloc_fh)
fprintf(G_xmalloc_fh, "*** xrealloc called on "
"non-xmalloc'd memory ***\n");

return 0;
}
Comment 1 Andrej Nemec 2016-04-21 14:40:40 UTC 
Acknowledgments:

Name: Yuguang Cai (Qihoo 360)
Comment 3 Huzaifa S. Sidhpurwala 2016-05-18 06:58:21 UTC 
CVE request at:

http://seclists.org/oss-sec/2016/q2/361
Comment 4 Huzaifa S. Sidhpurwala 2016-05-19 06:51:13 UTC 
Created openslp tracking bugs for this issue:

Affects: fedora-all [bug 1337402]
Affects: epel-5 [bug 1337403]
Comment 5 Huzaifa S. Sidhpurwala 2016-05-19 07:01:12 UTC 
Note:

Upstream has been made aware of this issue via:
https://sourceforge.net/p/openslp/bugs/152/
Comment 6 Rex Dieter 2016-05-19 12:45:14 UTC 
Curious, why was this closed->WONTFIX ?
Comment 7 Fedora Update System 2016-05-31 08:12:54 UTC 
openslp-2.0.0-9.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2016-06-08 01:21:02 UTC 
openslp-2.0.0-6.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2016-06-08 01:24:34 UTC 
openslp-2.0.0-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 John Calcote 2017-04-07 18:16:18 UTC 
Please note that the function in question - _xmalloc (recently changed to slp_xmalloc for libslp namespace reasons) is a DEBUG-only method. That is, it is only implemented in DEBUG builds of OpenSLP. Given this fact, it's unlikely to be a security issue in any deployment.
Comment 11 John Calcote 2017-04-07 18:17:26 UTC 
Sorry - I meant _xrealloc (now slp_xrealloc).
Comment 12 John Calcote 2017-04-07 18:26:25 UTC 
I've fixed the issue in openslp mercurial commit 1781.