Headline
CVE-2021-41497: Potential Null pointer access in CMS_Conservative_increment_obj · Issue #47 · RaRe-Technologies/bounter
Null pointer reference in CMS_Conservative_increment_obj in RaRe-Technologies bounter version 1.01 and 1.10, allows attackers to conduct Denial of Service attacks by inputting a huge width of hash bucket.
Description
In CMS_Conservative_init, w is received from Python code.
Its size is not validated hence “self->table[i] = (CMS_CELL_TYPE *) calloc(self->width, sizeof(CMS_CELL_TYPE));” may fail , which cause the Null pointer.
self->table[i] would be accessed in CMS_Conservative_increment_obj, which make the Python crash down.
Steps/Code/Corpus to Reproduce
static int
CMS_VARIANT(_init)(CMS_TYPE *self, PyObject *args, PyObject *kwds)
{
.........................
for (i = 0; i < self->depth; i++)
{
self->table[i] = (CMS_CELL_TYPE *) calloc(self->width, sizeof(CMS_CELL_TYPE));
printf ("[%d]self->table[%d] = %p \r\n", i, i, self->table[i]);
}
...........................
Optional call-path: increment -> CMS_Log1024_increment -> CMS_Conservative_increment_obj
Expected Results
when w is set as an arbitrary number, Python can not crash down.
Actual Results
crash
Versions
the main branch