Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Couple of minor issues in command handling code #26

Closed
JohnLaTwC opened this issue Nov 19, 2020 · 2 comments
Closed

Couple of minor issues in command handling code #26

JohnLaTwC opened this issue Nov 19, 2020 · 2 comments

Comments

@JohnLaTwC
Copy link

Issue 1

Check for failed allocation to avoid access violation on write

    // Make sure we have enough space to add '\0' character at end.
    enc = (char*)b64_realloc(enc, size + 1);
! Should check for failed allocation before the next assignment.
-    enc[size] = '\0';
+    if (NULL != enc) {
+        enc[size] = '\0';
+    } else {
+        return NULL;
+    }

trevorc2/agents/c/src/encode.c

Line 89 in cb508ca

enc = (char*)b64_realloc(enc, size + 1);

Issue 2

I am not sure of the intent when doTasking is on the nth iteration of getting shell command output but fails due memory allocation. Currently the code returns the buffer with as much as it was able to read. But there is some unreachable code that may be a remnant of treating this as an error case.

unsigned char* doTasking(unsigned char* command, int* outSize)
...

    while (1) {
        tempshelldata = realloc(shelldata, fullReadSize + 2048 + 1);
        if (tempshelldata == NULL) {
            break;
! breaks out of the loop when realloc returns NULL
        }
        if (tempshelldata == NULL) {
! this code is not reachable because the check against NULL above breaks out of the loop
! if this code was reached, it does not set `shelldata` to NULL after `free` which would result in callers to `doTasking` 
! operating on undefined memory and potentially a double-free because they also call `free`
            free(shelldata);
        }

trevorc2/agents/c/src/main.c

Line 326 in 4154bd2

if (tempshelldata == NULL) {

kev169 added a commit to kev169/trevorc2 that referenced this issue Dec 8, 2020
@kev169
Fixed issue noted in trustedsec#26, and added note for clang-format.
56cbeee
HackingDave added a commit that referenced this issue Dec 8, 2020
@HackingDave
Merge pull request #27 from kev169/master
5f2f2a5 
Fixes for #26
@HackingDave
Copy link
Contributor

Thanks for the report, merged and fixed.

@JohnLaTwC
Copy link
Author

My only other comment is that when shelldata is set to NULL in that PR, you may also want to set fullReadSize = 0 Otherwise you can end up with a case where if realloc fails during the Nth iteration of a loop the function will return NULL but with a non-zero length in the outSize param. The main function does not check for a NULL return from doTasking and passes the output values to sendTasking. A quick check of sendTasking didn't see an obvious problem due to a difference in length between a NULL shelldata with an incorrect length, but it may be safer to check for NULL before calling sendTasking and ensuring length returned from doTasking is zero if it returns NULL.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JohnLaTwC @HackingDave