The overflow is here:
if(submatchnbr > sizeof(pmatch)/sizeof(regmatch_t)) {
The comparison should be >=, not >.
And then, it is indeed a memory leak at the end:
if(bMustFree) free(str);
if(r[0].datatype == 'S') es_deleteStr(r[0].d.estr);
if(r[2].datatype == 'S') es_deleteStr(r[2].d.estr);
if(r[3].datatype == 'S') es_deleteStr(r[3].d.estr);
finalize_it:
--
Pavel Levshin
25.10.2013 15:52, Rainer Gerhards:
On Thu, Oct 24, 2013 at 11:18 PM, Pavel Levshin <[email protected]>wrote:
By the way, this patch also fixes a bug with buffer overflow in re_extract.
I have now reviewed the patch and have to admit that I still don't see the
overflow. The only thing I noticed was that you change the type of
submatchnbr, but it used the correct type (I guess you wanted to try to
save some time by a smaller type and relying on the prototype to extend it
back to size_t when needed).
So I would appreciate if you could point me at this overflow.
Thanks,
Rainer
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
