detect/tls: Use pcre_copy_substring to avoid leak

This commit eliminates a memory leak while parsing TLS version information. The leak was identified through fuzzing.
lxc1121 · Mar 30, 2020 · 2823bc5 · 2823bc5
1 parent 3d969a1
commit 2823bc5
Showing 1 changed file with 4 additions and 12 deletions.
diff --git a/src/detect-tls-version.c b/src/detect-tls-version.c
@@ -160,12 +160,11 @@ static DetectTlsVersionData *DetectTlsVersionParse (const char *str)
  }
 
  if (ret > 1) {
- const char *str_ptr;
- char *orig;
+ char ver_ptr[64];
  char *tmp_str;
- res = pcre_get_substring((char *)str, ov, MAX_SUBSTRINGS, 1, &str_ptr);
+ res = pcre_copy_substring((char *)str, ov, MAX_SUBSTRINGS, 1, ver_ptr, sizeof(ver_ptr));
  if (res < 0) {
- SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
+ SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
  goto error;
  }
 
@@ -174,11 +173,7 @@ static DetectTlsVersionData *DetectTlsVersionParse (const char *str)
  if (unlikely(tls == NULL))
  goto error;
 
- orig = SCStrdup((char*)str_ptr);
- if (unlikely(orig == NULL)) {
- goto error;
- }
- tmp_str=orig;
+ tmp_str = ver_ptr;
 
  /* Let's see if we need to scape "'s */
  if (tmp_str[0] == '"')
@@ -200,14 +195,11 @@ static DetectTlsVersionData *DetectTlsVersionParse (const char *str)
  tls->flags |= DETECT_TLS_VERSION_FLAG_RAW;
  } else {
  SCLogError(SC_ERR_INVALID_VALUE, "Invalid value");
- SCFree(orig);
  goto error;
  }
 
  tls->ver = temp;
 
- SCFree(orig);
-
  SCLogDebug("will look for tls %"PRIu16"", tls->ver);
  }