From 4bddcd23794bfcdd43eabd5da5e33d4227b117eb Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 25 Apr 2013 14:56:14 -0400 Subject: [PATCH 1/4] Fixed a bug in the vulnerable software script and added a test. --- .../policy/frameworks/software/vulnerable.bro | 27 ++++++++++++------- .../notice.log | 11 ++++++++ .../policy/frameworks/software/vulnerable.bro | 23 ++++++++++++++++ 3 files changed, 51 insertions(+), 10 deletions(-) create mode 100644 testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log create mode 100644 testing/btest/scripts/policy/frameworks/software/vulnerable.bro diff --git a/scripts/policy/frameworks/software/vulnerable.bro b/scripts/policy/frameworks/software/vulnerable.bro index aedb309dba..47c64885f5 100644 --- a/scripts/policy/frameworks/software/vulnerable.bro +++ b/scripts/policy/frameworks/software/vulnerable.bro @@ -43,15 +43,6 @@ export { global internal_vulnerable_versions: table[string] of set[VulnerableVersionRange] = table(); -event Control::configuration_update() - { - internal_vulnerable_versions = table(); - - # Copy the const vulnerable versions into the global modifiable one. - for ( sw in vulnerable_versions ) - internal_vulnerable_versions[sw] = vulnerable_versions[sw]; - } - function decode_vulnerable_version_range(vuln_sw: string): VulnerableVersionRange { # Create a max value with a dunce value only because the $max field @@ -115,11 +106,27 @@ event grab_vulnerable_versions(i: count) } } -event bro_init() +function update_vulnerable_sw() { + internal_vulnerable_versions = table(); + + # Copy the const vulnerable versions into the global modifiable one. + for ( sw in vulnerable_versions ) + internal_vulnerable_versions[sw] = vulnerable_versions[sw]; + event grab_vulnerable_versions(1); } +event bro_init() &priority=3 + { + update_vulnerable_sw(); + } + +event Control::configuration_update() &priority=3 + { + update_vulnerable_sw(); + } + event log_software(rec: Info) { if ( rec$name !in internal_vulnerable_versions ) diff --git a/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log b/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log new file mode 100644 index 0000000000..21b5342a13 --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path notice +#open 2013-04-25-18-55-26 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude metric_index.host metric_index.str metric_index.network +#types time string addr port addr port enum enum string string addr addr port count string table[enum] interval bool string string string double double addr string subnet +1366916126.685057 - - - - - - Software::Vulnerable_Version 1.2.3.4 is running Java 1.7.0.15 which is vulnerable. Java 1.7.0.15 1.2.3.4 - - - bro Notice::ACTION_LOG 3600.000000 F - - - - - - - - +1366916126.685057 - - - - - - Software::Vulnerable_Version 1.2.3.5 is running Java 1.6.0.43 which is vulnerable. Java 1.6.0.43 1.2.3.5 - - - bro Notice::ACTION_LOG 3600.000000 F - - - - - - - - +#close 2013-04-25-18-55-26 diff --git a/testing/btest/scripts/policy/frameworks/software/vulnerable.bro b/testing/btest/scripts/policy/frameworks/software/vulnerable.bro new file mode 100644 index 0000000000..2ea7009a21 --- /dev/null +++ b/testing/btest/scripts/policy/frameworks/software/vulnerable.bro @@ -0,0 +1,23 @@ +# @TEST-EXEC: bro %INPUT +# @TEST-EXEC: btest-diff notice.log + +@load frameworks/software/vulnerable + +redef Software::asset_tracking = ALL_HOSTS; + +global java_1_6_vuln: Software::VulnerableVersionRange = [$max=[$major=1,$minor=6,$minor2=0,$minor3=43]]; +global java_1_7_vuln: Software::VulnerableVersionRange = [$min=[$major=1,$minor=7], $max=[$major=1,$minor=7,$minor2=0,$minor3=20]]; +redef Software::vulnerable_versions += { + ["Java"] = set(java_1_6_vuln, java_1_7_vuln) +}; + +event bro_init() + { + Software::found([$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=4.3.2.1, $resp_p=80/tcp], + [$name="Java", $host=1.2.3.4, $version=[$major=1, $minor=7, $minor2=0, $minor3=15]]); + Software::found([$orig_h=1.2.3.5, $orig_p=1234/tcp, $resp_h=4.3.2.1, $resp_p=80/tcp], + [$name="Java", $host=1.2.3.5, $version=[$major=1, $minor=6, $minor2=0, $minor3=43]]); + Software::found([$orig_h=1.2.3.6, $orig_p=1234/tcp, $resp_h=4.3.2.1, $resp_p=80/tcp], + [$name="Java", $host=1.2.3.6, $version=[$major=1, $minor=6, $minor2=0, $minor3=50]]); + + } From 424025fb04169a4f9ee2e12a55c138eb5f101bda Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Sat, 27 Apr 2013 15:07:35 -0700 Subject: [PATCH 2/4] Updating submodule(s). [nomail] --- aux/binpac | 2 +- aux/broctl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/aux/binpac b/aux/binpac index 72d121ade5..a4b8dd0b69 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 72d121ade5a37df83d3252646de51cb77ce69a89 +Subproject commit a4b8dd0b691c3f614537ad8471fc80a82ce7b2df diff --git a/aux/broctl b/aux/broctl index 058e66ce20..786b83664c 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 058e66ce20604e2c4f45da1f06910c3528d89ec3 +Subproject commit 786b83664c6a15faeb153d118310526b7790deae From 1a41bfa0ef0bf2a8fc1829388a350609f98a6a42 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 29 Apr 2013 20:37:26 -0700 Subject: [PATCH 3/4] Fixing memory leak in CompHash. Amazing what code still has memory leaks ... Closes #987. --- src/CompHash.cc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/CompHash.cc b/src/CompHash.cc index 05d3e515d2..202ddf6305 100644 --- a/src/CompHash.cc +++ b/src/CompHash.cc @@ -830,7 +830,10 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0, } for ( int i = 0; i < n; ++i ) + { tv->Assign(keys[i], t->IsSet() ? 0 : values[i]); + Unref(keys[i]); + } pval = tv; } From a201d2e033646d6d77741270bd0bc952e221c840 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 29 Apr 2013 21:10:59 -0700 Subject: [PATCH 4/4] Fixing more memory leaks. --- CHANGES | 5 +++++ VERSION | 2 +- src/CompHash.cc | 25 ++++++++++++++++++++++--- 3 files changed, 28 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 03dd47d3e9..e3d20b84b6 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,9 @@ +2.1-397 | 2013-04-29 21:19:00 -0700 + + * Fixing memory leaks in CompHash implementation. Addresses #987. + (Robin Sommer) + 2.1-394 | 2013-04-27 15:02:31 -0700 * Fixed a bug in the vulnerable software script and added a test. diff --git a/VERSION b/VERSION index 962239ea7b..4809e9f2e9 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.1-394 +2.1-397 diff --git a/src/CompHash.cc b/src/CompHash.cc index 202ddf6305..e793a104e0 100644 --- a/src/CompHash.cc +++ b/src/CompHash.cc @@ -77,7 +77,7 @@ char* CompositeHash::SingleValHash(int type_check, char* kp0, *kp = ( v ? 1 : 0); kp0 = reinterpret_cast(kp+1); - if ( ! v ) + if ( ! v ) return kp0; } @@ -181,16 +181,24 @@ char* CompositeHash::SingleValHash(int type_check, char* kp0, Val* key = lv->Index(i); if ( ! (kp1 = SingleValHash(type_check, kp1, key->Type(), key, false)) ) + { + Unref(lv); return 0; + } if ( ! v->Type()->IsSet() ) { Val* val = tv->Lookup(key); if ( ! (kp1 = SingleValHash(type_check, kp1, val->Type(), val, false)) ) + { + Unref(lv); return 0; + } } } + + Unref(lv); } break; @@ -454,16 +462,27 @@ int CompositeHash::SingleTypeKeySize(BroType* bt, const Val* v, Val* key = lv->Index(i); sz = SingleTypeKeySize(key->Type(), key, type_check, sz, false, calc_static_size); - if ( ! sz ) return 0; + if ( ! sz ) + { + Unref(lv); + return 0; + } + if ( ! bt->IsSet() ) { Val* val = tv->Lookup(key); sz = SingleTypeKeySize(val->Type(), val, type_check, sz, false, calc_static_size); - if ( ! sz ) return 0; + if ( ! sz ) + { + Unref(lv); + return 0; + } } } + Unref(lv); + break; }