Merge pull request #801 from appneta/Bug_#782_#784_#785_#786_#787_#78…

…8_strtok_r_isuses Bug #782 #784 #785 #786 #787 #788 strtok r isuses
appneta · Jun 5, 2023 · 128ecaf · 128ecaf
2 parents 22ecbca + bfab833
commit 128ecaf
Show file tree

Hide file tree

Showing 6 changed files with 11 additions and 3 deletions.
diff --git a/docs/CHANGELOG b/docs/CHANGELOG
@@ -1,6 +1,8 @@
 06/04/2023 Version 4.4.4-beta1
+    - CVE-2023-27786 bugs caused by strtok_r (#782 #784 #785 #786 #787 #788)
     - CVE-2023-27783 reachable assert in tcpedit_dlt_cleanup (#780)
     - add CI - C/C++ Linter and CodeQL (#773)
+
 01/01/2023 Version 4.4.3
     - upgrade autogen/libopts to version 5.18.16 (#759)
     - avoid implicit int in configure.ac (#757)

diff --git a/src/common/cidr.c b/src/common/cidr.c
@@ -253,6 +253,8 @@ parse_cidr(tcpr_cidr_t **cidrdata, char *cidrin, char *delim)
 
     /* first iteration of input using strtok */
     network = strtok_r(cidrin, delim, &token);
+    if (network == NULL)
+        return 0;
 
     *cidrdata = cidr2cidr(network);
     cidr_ptr = *cidrdata;
@@ -320,6 +322,8 @@ parse_endpoints(tcpr_cidrmap_t **cidrmap1, tcpr_cidrmap_t **cidrmap2, const char
         /* ipv4 mode */
         memset(newmap, '\0', NEWMAP_LEN);
         map = strtok_r(string, ":", &token);
+        if (map == NULL)
+            goto done;
 
         strlcpy(newmap, "0.0.0.0/0:", NEWMAP_LEN);
         strlcat(newmap, map, NEWMAP_LEN);

diff --git a/src/common/list.c b/src/common/list.c
@@ -74,7 +74,7 @@ parse_list(tcpr_list_t **listdata, char *ourstr)
     second = NULL;
 
     /* regex test */
-    if (regexec(&preg, this, 0, NULL, 0) != 0) {
+    if (this == NULL || regexec(&preg, this, 0, NULL, 0) != 0) {
         warnx("Unable to parse: %s", this);
         regfree(&preg);
         return 0;

diff --git a/src/common/mac.c b/src/common/mac.c
@@ -112,7 +112,7 @@ macinstring(const char *macstring, const u_char *mac)
     memset(&tempmac[0], 0, sizeof(tempmac));
 
     tempstr = strtok_r(ourstring, ",", &tok);
-    if (strlen(tempstr)) {
+    if (tempstr != NULL && strlen(tempstr)) {
         mac2hex(tempstr, tempmac, len);
         if (memcmp(mac, tempmac, len) == 0) {
             dbgx(3, "Packet matches: " MAC_FORMAT " sending out primary.\n", MAC_STR(tempmac));

diff --git a/src/common/utils.c b/src/common/utils.c
@@ -336,6 +336,8 @@ read_hexstring(const char *l2string, u_char *hex, int hexlen)
 
     /* get the first byte */
     l2byte = strtok_r(string, ",", &token);
+    if (l2byte == NULL)
+        err(-1, "Hex buffer must contain something");
     value = strtol(l2byte, NULL, 16);
     if (value > 0xff)
         errx(-1, "Invalid hex string byte: %s", l2byte);

diff --git a/src/tcpedit/portmap.c b/src/tcpedit/portmap.c
@@ -188,7 +188,7 @@ parse_portmap(tcpedit_portmap_t **portmap, const char *ourstr)
     /* first iteration of input */
     substr = strtok_r(ourstrcpy, ",", &token);
 
-    if ((*portmap = ports2PORT(substr)) == NULL) {
+    if (substr == NULL || (*portmap = ports2PORT(substr)) == NULL) {
         safe_free(ourstrcpy);
         return 0;
     }