Bug 1180487 - libhtp: NULL pointer dereference in htp_connp_close()
Summary: libhtp: NULL pointer dereference in htp_connp_close()
Keywords:
Status: CLOSED DUPLICATE of bug 1173605
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1173605 1180488 1180489
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-01-09 09:59 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:26 UTC (History)
3 users (show)

Fixed In Version: libhtp 0.5.16
Clone Of:
Environment:
Last Closed: 2015-01-09 16:49:12 UTC
Embargoed:

Attachments (Terms of Use)

Description Vasyl Kaigorodov 2015-01-09 09:59:09 UTC 
It was reported [1] that certain requests can cause a NULL pointer dereference in libhtp, leading to denial of service of Suricata.

The chain of events is following:

- failure in zlib setup (Z_STREAM_ERROR) leads to tx->connp->out_decompressor == NULL and htp_connp_res_data returning HTP_STREAM_ERROR
- Suricata then still sometimes calls htp_connp_close()
- htp_connp_close() resets status' and unconditionally derefs tx->connp->out_decompressor
- as this is NULL, we get a segv

The calling of htp_connp_close may be erroneous if the htp state is in error.

Upstream commit that resolves this:
https://github.com/OISF/libhtp/pull/82/files

[1]: https://redmine.openinfosecfoundation.org/issues/1272
Comment 1 Vasyl Kaigorodov 2015-01-09 09:59:30 UTC 
Created libhtp tracking bugs for this issue:

Affects: fedora-all [bug 1180488]
Affects: epel-all [bug 1180489]
Comment 2 Mathieu Bridon 2015-01-09 10:11:19 UTC 
Isn't that a duplicate of 1173605 ?
Comment 3 Vasyl Kaigorodov 2015-01-09 16:49:12 UTC 
(In reply to Mathieu Bridon from comment #2)
> Isn't that a duplicate of 1173605 ?

Ooops, you're right.
Closing this one.

*** This bug has been marked as a duplicate of bug 1173605 ***
Note You need to log in before you can comment on or make changes to this bug.