Merge pull request #13 from cowrie/claude/review-c-code-logic-gKpMn

Author: micheloosterhof

modules/curl/module.c

@@ -306,9 +306,7 @@ static int curl_socketfunction_cb(CURL *easy, curl_socket_t s, int action, void
 	struct session *session;
 	curl_easy_getinfo(easy, CURLINFO_PRIVATE, (char **)&session);
 
-#ifdef DEBUG
 	const char *action_str[]={ "none", "IN", "OUT", "INOUT", "REMOVE"};
-#endif
 
 	g_debug("socket callback: s=%d e=%p what=%s ", s, easy, action_str[action]);
 
@@ -353,7 +351,7 @@ static size_t curl_writefunction_cb(void *ptr, size_t size, size_t nmemb, void *
 			return size*nmemb;
 
 		g_debug("session %p file %i", session, session->action.upload.file->fd);
-		if( write(session->action.upload.file->fd, ptr, size*nmemb) != size*nmemb)
+		if( write(session->action.upload.file->fd, ptr, size*nmemb) != (ssize_t)(size*nmemb))
 			return 0;
 	}
 

modules/emu/detect.c

@@ -133,7 +133,7 @@ void proc_emu_on_io_in(struct connection *con, struct processor_data *pd)
 #endif
 		ret = emu_shellcode_test(e, streamdata, size);
 		emu_free(e);
-		ctx->offset += size;
+		ctx->offset = offset + size;
 		if( ret >= 0 )
 		{
 			struct incident *ix = incident_new("dionaea.shellcode.detected");

modules/emu/emulate.c

@@ -195,8 +195,8 @@ void emulate_ctx_free(void *data)
 	if( ctx->time != NULL )
 		g_timer_destroy(ctx->time);
 
-	emu_free(ctx->emu);
 	emu_env_free(ctx->env);
+	emu_free(ctx->emu);
 	g_mutex_clear(&ctx->mutex);
 	if( ctx->ctxcon != NULL )
 		connection_unref(ctx->ctxcon);

modules/nfq/nfq.c

@@ -188,18 +188,31 @@ static int nfqueue_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nf
 		return 1;		// from nfqueue source: 0 = ok, >0 = soft error, <0 hard error
 	}
 
+	id = ntohl(ph->packet_id);
+
 	len = nfq_get_payload(nfa, &payload);
 
 	if( len <= 0 )
-		return 0;
+	{
+		nf = NF_DROP;
+		goto send_verdict;
+	}
 
-	if( len <=  sizeof(struct iphdr) )
-		return 0;
+	if( len <= (int)sizeof(struct iphdr) )
+	{
+		nf = NF_DROP;
+		goto send_verdict;
+	}
 
 	struct iphdr * ip = (struct iphdr *) payload;
 	if( ip->version == IPVERSION )
 	{ /* IPv4 */
-		if( len >= ip->ihl * 4 + sizeof(struct tcphdr) )
+		if( ip->ihl < 5 )
+		{
+			nf = NF_DROP;
+			goto send_verdict;
+		}
+		if( len >= ip->ihl * 4 + (int)sizeof(struct tcphdr) )
 		{
 			struct tcphdr * tcp = (struct tcphdr *) (payload + ip->ihl * 4);
 
@@ -233,7 +246,8 @@ static int nfqueue_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nf
 		nf = NF_ACCEPT;
 	}
 
-	id = ntohl(ph->packet_id);
+send_verdict:
+	;
 	uintptr_t cmd = (uintptr_t)nfq_backend;
 	if( send(g_dionaea->pchild->fd, &cmd, sizeof(uintptr_t), 0) != sizeof(uintptr_t) ||
 		send(g_dionaea->pchild->fd, &id, sizeof(id), 0) != sizeof(id) ||

modules/pcap/pcap.c

@@ -257,11 +257,11 @@ static bool pcap_prepare(void)
 					if( addr->addr )
 						g_debug("\t\t\taddr %s", inet_ntop(addr->addr->sa_family, addr_offset(addr->addr), name, 128));
 					if( addr->netmask )
-						g_debug("\t\t\tnetmask %s", inet_ntop(addr->addr->sa_family, addr_offset(addr->addr), name, 128));
+						g_debug("\t\t\tnetmask %s", inet_ntop(addr->netmask->sa_family, addr_offset(addr->netmask), name, 128));
 					if( addr->broadaddr )
-						g_debug("\t\t\tbcast %s", inet_ntop(addr->addr->sa_family, addr_offset(addr->addr), name, 128));
+						g_debug("\t\t\tbcast %s", inet_ntop(addr->broadaddr->sa_family, addr_offset(addr->broadaddr), name, 128));
 					if( addr->dstaddr )
-						g_debug("\t\t\tdstaddr %s", inet_ntop(addr->addr->sa_family, addr_offset(addr->addr), name, 128));
+						g_debug("\t\t\tdstaddr %s", inet_ntop(addr->dstaddr->sa_family, addr_offset(addr->dstaddr), name, 128));
 					g_string_append_printf(bpf_filter_string_addition, "or src host %s ", inet_ntop(addr->addr->sa_family, addr_offset(addr->addr), name, 128));
 					break;
 

modules/python/dionaea/hpfeeds.py

@@ -72,12 +72,18 @@ def timestr():
 def strpack8(x):
     if isinstance(x, str):
         x = x.encode('latin1')
-    return struct.pack('!B', len(x)%0xff) + x
+    if len(x) > 255:
+        raise BadClient('strpack8: string too long (%d bytes)' % len(x))
+    return struct.pack('!B', len(x)) + x
 
 
 # unpacks a string with 1 byte length field
 def strunpack8(x):
+    if len(x) < 1:
+        raise BadClient('strunpack8: buffer too short for length field')
     length = x[0]
+    if len(x) < 1 + length:
+        raise BadClient('strunpack8: buffer too short (need %d, have %d)' % (1 + length, len(x)))
     return x[1:1+length], x[1+length:]
 
 

modules/python/module.c

@@ -197,7 +197,7 @@ static bool hupy(void)
 	}
 	for (module_name = module_names; *module_name; module_name++) {
 		struct import *i;
-		if( (i = g_hash_table_lookup(runtime.imports, module_name)) != NULL ) {
+		if( (i = g_hash_table_lookup(runtime.imports, *module_name)) != NULL ) {
 			g_message("Import %s exists, reloading", *module_name);
 
 			PyObject *func = PyObject_GetAttrString(i->module, "stop");
@@ -670,6 +670,7 @@ PyObject *pygetifaddrs(PyObject *self, PyObject *args)
 			pyiface = PyUnicode_FromString(iface->ifa_name);
 			pyafdict = PyDict_New();
 			PyDict_SetItemString (result, iface->ifa_name, pyafdict);
+			Py_DECREF(pyafdict);
 			Py_DECREF(pyiface);
 		}
 
@@ -678,6 +679,7 @@ PyObject *pygetifaddrs(PyObject *self, PyObject *args)
 		{
 			pyaflist = PyList_New(0);
 			PyDict_SetItem(pyafdict, pyaf, pyaflist);
+			Py_DECREF(pyaflist);
 		} else
 		{
 			pyaflist = PyDict_GetItem(pyafdict, pyaf);
@@ -862,22 +864,30 @@ PyObject *py_config(PyObject *self, PyObject *args)
 	obj2 = PyDict_New();
 	obj_value = py_config_string("dionaea", "listen.mode");
 	PyDict_SetItemString(obj2, "listen.mode", obj_value);
+	Py_XDECREF(obj_value);
 	obj_value = py_config_string_list("dionaea", "listen.interfaces");
 	PyDict_SetItemString(obj2, "listen.interfaces", obj_value);
+	Py_XDECREF(obj_value);
 	obj_value = py_config_string_list("dionaea", "listen.addresses");
 	PyDict_SetItemString(obj2, "listen.addresses", obj_value);
+	Py_XDECREF(obj_value);
 	obj_value = py_config_string("dionaea", "download.dir");
 	PyDict_SetItemString(obj2, "download.dir", obj_value);
+	Py_XDECREF(obj_value);
 
 	PyDict_SetItemString(obj, "dionaea", obj2);
+	Py_DECREF(obj2);
 
 	obj2 = PyDict_New();
 	obj_value = py_config_string_list("module.python", "ihandler_configs");
 	PyDict_SetItemString(obj2, "ihandler_configs", obj_value);
+	Py_XDECREF(obj_value);
 	obj_value = py_config_string_list("module.python", "service_configs");
 	PyDict_SetItemString(obj2, "service_configs", obj_value);
+	Py_XDECREF(obj_value);
 
 	PyDict_SetItemString(obj, "module", obj2);
+	Py_DECREF(obj2);
 
 	return obj;
 }

modules/speakeasy/detect.c

@@ -48,36 +48,44 @@ void speakeasy_set_shellcode_dir(const char *dir)
 	shellcode_dir = g_strdup(dir);
 }
 
+// SHA256 hex string is always 64 chars + null
+#define SHA256_HEX_SIZE 65
+// Max path: dir + "/shellcode-" + 64 hex chars + ".bin"/".txt" + null
+#define SHELLCODE_PATH_MAX 512
+
 /**
- * Compute SHA256 hash of data and return as hex string
- * Caller must free the returned string with g_free()
+ * Compute SHA256 hash of data and write hex string into caller-provided buffer
+ * Buffer must be at least SHA256_HEX_SIZE (65) bytes
+ * Returns true on success, false on failure
  */
-static char *compute_sha256_hex(const void *data, size_t len)
+static bool compute_sha256_hex(char *hex, size_t hex_size, const void *data, size_t len)
 {
 	unsigned char hash[EVP_MAX_MD_SIZE];
 	unsigned int hash_len;
 
+	if (hex_size < SHA256_HEX_SIZE)
+		return false;
+
 	EVP_MD_CTX *ctx = EVP_MD_CTX_new();
 	if (ctx == NULL) {
-		return NULL;
+		return false;
 	}
 
 	if (EVP_DigestInit_ex(ctx, EVP_sha256(), NULL) != 1 ||
 	    EVP_DigestUpdate(ctx, data, len) != 1 ||
 	    EVP_DigestFinal_ex(ctx, hash, &hash_len) != 1) {
 		EVP_MD_CTX_free(ctx);
-		return NULL;
+		return false;
 	}
 	EVP_MD_CTX_free(ctx);
 
 	// Convert to hex string
-	char *hex = g_malloc(hash_len * 2 + 1);
 	for (unsigned int i = 0; i < hash_len; i++) {
 		snprintf(hex + i * 2, 3, "%02x", hash[i]);
 	}
 	hex[hash_len * 2] = '\0';
 
-	return hex;
+	return true;
 }
 
 /**
@@ -97,33 +105,37 @@ static bool save_shellcode(const void *data, size_t len, int offset,
 		return false;
 	}
 
-	char *sha256 = compute_sha256_hex(data, len);
-	if (sha256 == NULL) {
+	char sha256[SHA256_HEX_SIZE];
+	if (!compute_sha256_hex(sha256, sizeof(sha256), data, len)) {
 		g_warning("Failed to compute SHA256");
 		return false;
 	}
 
-	// Build file paths
-	char *bin_path = g_strdup_printf("%s/shellcode-%s.bin", shellcode_dir, sha256);
-	char *txt_path = g_strdup_printf("%s/shellcode-%s.txt", shellcode_dir, sha256);
+	// Build file paths on stack
+	char bin_path[SHELLCODE_PATH_MAX];
+	char txt_path[SHELLCODE_PATH_MAX];
+	int n = snprintf(bin_path, sizeof(bin_path), "%s/shellcode-%s.bin", shellcode_dir, sha256);
+	if (n < 0 || (size_t)n >= sizeof(bin_path)) {
+		g_warning("Shellcode bin path too long");
+		return false;
+	}
+	n = snprintf(txt_path, sizeof(txt_path), "%s/shellcode-%s.txt", shellcode_dir, sha256);
+	if (n < 0 || (size_t)n >= sizeof(txt_path)) {
+		g_warning("Shellcode txt path too long");
+		return false;
+	}
 
 	// Check if already exists (dedup by hash)
 	struct stat st;
 	if (stat(bin_path, &st) == 0) {
 		g_debug("Shellcode %s already saved", sha256);
-		g_free(sha256);
-		g_free(bin_path);
-		g_free(txt_path);
 		return true;
 	}
 
 	// Save binary data
 	FILE *f = fopen(bin_path, "wb");
 	if (f == NULL) {
 		g_warning("Failed to open %s for writing", bin_path);
-		g_free(sha256);
-		g_free(bin_path);
-		g_free(txt_path);
 		return false;
 	}
 	size_t written = fwrite(data, 1, len, f);
@@ -132,9 +144,6 @@ static bool save_shellcode(const void *data, size_t len, int offset,
 	if (written != len) {
 		g_warning("Failed to write shellcode data");
 		unlink(bin_path);
-		g_free(sha256);
-		g_free(bin_path);
-		g_free(txt_path);
 		return false;
 	}
 
@@ -166,9 +175,6 @@ static bool save_shellcode(const void *data, size_t len, int offset,
 
 	g_info("Saved shellcode %s.bin (%zu bytes, %s)", sha256, len, arch);
 
-	g_free(sha256);
-	g_free(bin_path);
-	g_free(txt_path);
 	return true;
 }
 
@@ -484,14 +490,14 @@ void proc_speakeasy_on_io_in(struct connection *con, struct processor_data *pd)
 	// All architectures now use execution-based validation to reduce false positives
 
 	// x86-32 uses libemu for emulation-based detection
-	struct emu *e = emu_new();
 	if( size <= 0 )
 	{
 		g_debug("No data to scan (size=%d)", size);
+		g_free(streamdata);
 		return;
 	}
-	uint16_t scan_size = (size > UINT16_MAX) ? UINT16_MAX : (uint16_t)size;
-	int ret_x86 = emu_shellcode_test_x86(e, streamdata, scan_size);
+	struct emu *e = emu_new();
+	int ret_x86 = emu_shellcode_test_x86(e, streamdata, (uint32_t)size);
 	emu_free(e);
 
 	// x86-64 still uses pattern-based detection (TODO: add execution validation)

modules/xmatch/xmatch.c

@@ -192,6 +192,7 @@ void proc_xmatch_on_io_in(struct connection *con, struct processor_data *pd)
 		return;
 	case 0:
 		g_debug("did not find any matches.");
+		g_free(streamdata);
 		return;
 	}
 

src/bistream.c

@@ -287,9 +287,11 @@ int32_t bistream_get_stream(struct bistream *bs, enum bistream_direction dir, ui
 	g_debug("found stream begin %p stream_offset %i size %i", itsc,  itsc->stream_offset, (int)itsc->data->len);
 
 	uint32_t offset = 0;
-	while( itsc->stream_offset < end )
+	while( 1 )
 	{
 		itsc = it->data;
+		if( itsc->stream_offset >= (uint32_t)end )
+			break;
 		uint32_t start_offset = 0;
 		uint32_t end_offset = itsc->data->len;