Harden against a couple memory issues

stevegrubb · stevegrubb · commit c9d23011a36d · 2025-11-15T12:35:51.000-05:00
Hardened plist_append to free the freshly allocated node when duplicating the plugin configuration fails, avoiding a dangling pointer assignment.

Updated cleanup_event to respect the optional event_is_prealloc hook before freeing events, preventing accidental frees of pooled objects.

Ensured client messages are NUL-terminated within buffer bounds by clamping the termination index before modifying the header buffer.
diff --git a/audisp/audispd-llist.c b/audisp/audispd-llist.c
@@ -79,9 +79,13 @@ int plist_append(conf_llist *l, plugin_conf_t *p)
 
 	if (p) {
 		void *pp = malloc(sizeof(struct plugin_conf));
-		if (pp)
+		if (pp) {
 			memcpy(pp, p, sizeof(struct plugin_conf));
-		newnode->p = pp;
+			newnode->p = pp;
+		} else {
+			free(newnode);
+			return 1;
+		}
 	} else
 		newnode->p = NULL;
 
diff --git a/src/auditd-event.c b/src/auditd-event.c
@@ -580,7 +580,9 @@ void cleanup_event(struct auditd_event *e)
 	// into the middle of the reply allocation. Check for it.
 	if (e->reply.message != e->reply.msg.data)
 		free((void *)e->reply.message);
-	if (!event_is_prealloc || !event_is_prealloc(e))
+	if (!event_is_prealloc)
+		free(e);
+	else if (!event_is_prealloc(e))
 		free(e);
 }
 
diff --git a/src/auditd-listen.c b/src/auditd-listen.c
@@ -564,10 +564,17 @@ static void client_message (struct ev_tcp *io, unsigned int length,
 	if (AUDIT_RMW_IS_MAGIC (header, length)) {
 		AUDIT_RMW_UNPACK_HEADER (header, hver, mver, type, mlen, seq)
 
-		ch = header[length];
-		header[length] = 0;
-		if (length > 1 && header[length-1] == '\n')
-			header[length-1] = 0;
+		size_t term_idx;
+
+		if (length >= MAX_AUDIT_MESSAGE_LENGTH)
+			term_idx = MAX_AUDIT_MESSAGE_LENGTH - 1;
+		else
+			term_idx = length;
+
+		ch = header[term_idx];
+		header[term_idx] = 0;
+		if (term_idx > 1 && header[term_idx-1] == '\n')
+			header[term_idx-1] = 0;
 		if (type == AUDIT_RMW_TYPE_HEARTBEAT) {
 			unsigned char ack[AUDIT_RMW_HEADER_SIZE];
 			AUDIT_RMW_PACK_HEADER (ack, 0, AUDIT_RMW_TYPE_ACK,
@@ -580,7 +587,7 @@ static void client_message (struct ev_tcp *io, unsigned int length,
 			if (e)
 				distribute_event(e);
 		}
-		header[length] = ch;
+		header[term_idx] = ch;
 	}
 }
 
