Bug 1329295 (CVE-2016-4912) - CVE-2016-4912 openslp: null pointer dereference in _xrealloc() function
Summary: CVE-2016-4912 openslp: null pointer dereference in _xrealloc() function
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-4912
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1337402 1337403
Blocks: 1329300
TreeView+ depends on / blocked
 
Reported: 2016-04-21 14:40 UTC by Andrej Nemec
Modified: 2019-09-29 13:47 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-19 06:53:34 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2016-04-21 14:40:35 UTC
A null pointer dereference vulnerability was found in function _xrealloc() in xlsp_xmalloc.c in OpenSLP. A remote attacker could potentially crash the server when large number of packets are sent.

Vulnerable code:

void * _xrealloc(const char * file, int line, void * ptr, size_t size)
{
xallocation_t * x;

if (!ptr)
return _xmalloc(file, line, size);

if (!size)
{
_xfree(file, line, ptr);
return 0;
}

x = _xmalloc_find(ptr);
if (x != 0)
{
void * newptr = ptr;
if (x->size != size)
{
newptr = _xmalloc(file, line, size);   //*** return 0 if failed from _xmalloc
memcpy(newptr, ptr, x->size);  //*** it'll cased a null pointer reference
_xfree(file, line, x);
}
return newptr;
}

if (G_xmalloc_fh)
fprintf(G_xmalloc_fh, "*** xrealloc called on "
"non-xmalloc'd memory ***\n");

return 0;
}

Comment 1 Andrej Nemec 2016-04-21 14:40:40 UTC
Acknowledgments:

Name: Yuguang Cai (Qihoo 360)

Comment 3 Huzaifa S. Sidhpurwala 2016-05-18 06:58:21 UTC
CVE request at:

http://seclists.org/oss-sec/2016/q2/361

Comment 4 Huzaifa S. Sidhpurwala 2016-05-19 06:51:13 UTC
Created openslp tracking bugs for this issue:

Affects: fedora-all [bug 1337402]
Affects: epel-5 [bug 1337403]

Comment 5 Huzaifa S. Sidhpurwala 2016-05-19 07:01:12 UTC
Note:

Upstream has been made aware of this issue via:
https://sourceforge.net/p/openslp/bugs/152/

Comment 6 Rex Dieter 2016-05-19 12:45:14 UTC
Curious, why was this closed->WONTFIX ?

Comment 7 Fedora Update System 2016-05-31 08:12:54 UTC
openslp-2.0.0-9.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2016-06-08 01:21:02 UTC
openslp-2.0.0-6.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2016-06-08 01:24:34 UTC
openslp-2.0.0-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 John Calcote 2017-04-07 18:16:18 UTC
Please note that the function in question - _xmalloc (recently changed to slp_xmalloc for libslp namespace reasons) is a DEBUG-only method. That is, it is only implemented in DEBUG builds of OpenSLP. Given this fact, it's unlikely to be a security issue in any deployment.

Comment 11 John Calcote 2017-04-07 18:17:26 UTC
Sorry - I meant _xrealloc (now slp_xrealloc).

Comment 12 John Calcote 2017-04-07 18:26:25 UTC
I've fixed the issue in openslp mercurial commit 1781.


Note You need to log in before you can comment on or make changes to this bug.