Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Add sanity checks for calls to malloc in predict.c for NMAP-7.xx

From: Bill Parker <wp02855 () gmail com>
Date: Sat, 9 Jan 2016 13:38:22 -0800
Hello All,

In reviewing source code in NMAP-7.xx, there are calls to malloc()
in predict.c which is not checked for a return value of NULL, indicating
failure.  Additionally, prior to exit() being called, any open file
handles are also closed.

The patch file below should address/correct this issue:

--- predict.c.orig      2016-01-09 10:19:20.268200257 -0800
+++ predict.c   2016-01-09 10:27:09.445830321 -0800
@@ -63,8 +63,19 @@
                }

                labels=(int *) malloc(nr_class*sizeof(int));
+               if (labels == NULL) /* oops, malloc() failed... */
+               {
+                       fprintf(stderr, "ERROR: Out of memory for labels in
function: do_predict()...\n");
+                       exit(1);
+               }
                get_labels(model_,labels);
                prob_estimates = (double *) malloc(nr_class*sizeof(double));
+               if (prob_estimates == NULL) /* oops, malloc() failed... */
+               {
+                       fprintf(stderr, "ERROR: Out of memory for
prob_estimates in function: do_predict()...\n");
+                       free(labels);
+                       exit(1);
+               }
                fprintf(output,"labels");
                for(j=0;j<nr_class;j++)
                        fprintf(output," %d",labels[j]);
@@ -74,6 +85,13 @@

        max_line_len = 1024;
        line = (char *)malloc(max_line_len*sizeof(char));
+       if (line == NULL) /* oops, malloc() failed... */
+       {
+               fprintf(stderr, "ERROR: Out of memory for line in function:
do_predict()...\n");
+               free(prob_estimates);
+               free(labels);
+               exit(1);
+       }
        while(readline(input) != NULL)
        {
                int i = 0;
@@ -197,16 +215,26 @@
        if(output == NULL)
        {
                fprintf(stderr,"can't open output file %s\n",argv[i+2]);
+               fclose(input);
                exit(1);
        }

        if((model_=load_model(argv[i+1]))==0)
        {
                fprintf(stderr,"can't open model file %s\n",argv[i+1]);
+               fclose(output);
+               fclose(input);
                exit(1);
        }

        x = (struct feature_node *) malloc(max_nr_attr*sizeof(struct
feature_node));
+       if (x == NULL)
+       {
+               fprintf(stderr,"Out of memory in: predict() main...\n");
+               fclose(output);
+               fclose(input);
+               exit(1);
+       }
        do_predict(input, output, model_);
        free_and_destroy_model(&model_);
        free(line);
I am attaching the patch file to this bug report...

Bill Parker (wp02855 () gmail com)

Attachment: predict.c.patch
Description: 

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: