Skip to content

Fix for issue #2056 #2173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
atomicturtle merged 2 commits into from
Jan 24, 2026
+70 −0
Merged

Fix for issue #2056 #2173

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
29c07e3
Fix for issue #2056
atomicturtle Jan 24, 2026
61117ca
Update src/analysisd/decoders/syscheck.c
atomicturtle Jan 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions src/analysisd/decoders/syscheck.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -663,8 +663,16 @@ static int DB_Search(const char *f_name, const char *c_sum, Eventinfo *lf)
"New sha256sum is : '%s'\n",
newfilesha256);
os_strdup(newfilesha256, lf->sha256_after);
} else {
sdb.sha256[0] = '\0';
}

if (!newfilemd5) {
newfilemd5 = "Unknown";
}
if (!newfilesha1) {
newfilesha1 = "Unknown";
}
/* SHA-1 message */
snprintf(sdb.sha1, OS_FLSIZE,
"New sha1sum is : '%s'\n",
Expand Down
62 changes: 62 additions & 0 deletions src/tests/regressions/issue_2056_repro_crash.c
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
#include "shared.h"
Copy link

Copilot AI Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing copyright header. All other test files in src/tests include a copyright header at the top (e.g., test_os_crypto.c:1-8, test_shared.c:1-8). This file should include the same copyright notice for consistency with the codebase convention.

Copilot uses AI. Check for mistakes.
#include "analysisd/eventinfo.h"
#include "analysisd/config.h"

/* Mock global config */
/* _Config Config; -- defined in config-live.o */

/* Stubs for missing symbols */
void *NULL_Decoder = NULL;
int ReadConfig(int modules, const char *cfgfile, void *d1, void *d2) { return 0; }

/* External function */
void SyscheckInit();
int DecodeSyscheck(Eventinfo *lf);

int main()
{
/* Initialize Syscheck DB (Allocate sdb.syscheck_dec) */
SyscheckInit();

Eventinfo lf;
memset(&lf, 0, sizeof(Eventinfo));

/* Initialize Mock Config */
Config.syscheck_alert_new = 1; /* Crucial to trigger the vulnerable path */

/* Malformed input: Fewer than 6 tokens in checksum part */
/* Format: checksum filename */
/* Checksum expected: c_sum:md5:sha1... based on ":" parsing */
/* We provide a short checksum string */
char *input_msg = "badchecksum:1234:short /tmp/testfile";

/* Setup Eventinfo */
lf.log = strdup(input_msg);
lf.location = "localhost";

printf("Attempting to call DecodeSyscheck with malformed input (Regression check)...\n");
fflush(stdout);
DecodeSyscheck(&lf);
printf("Survived Malformed Input!\n");
fflush(stdout);

/* Cleanup Test Case 1 resources */
free(lf.log);
if(lf.full_log) free(lf.full_log);
/* Note: other fields leaked for simplicity, just zeroing struct for next test */
memset(&lf, 0, sizeof(Eventinfo));

/* Test Case 2: Full Checksum with SHA256 */
/* Format: 1:2:3:4:MD5:SHA1:SHA256 */
char *input_msg_full = "ignore:ignore:ignore:ignore:MYMD5:MYSHA1:MYSHA256 /tmp/testfile_sha256";
lf.log = strdup(input_msg_full);
lf.location = "localhost";

printf("Attempting to call DecodeSyscheck with SHA256 input...\n");
fflush(stdout);
DecodeSyscheck(&lf);
printf("Survived SHA256 Input!\n");
fflush(stdout);
Comment on lines +37 to +59
Copy link

Copilot AI Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test lacks proper assertions and error checking. The test calls DecodeSyscheck but doesn't verify the return value or check if the function behaves correctly. It only checks that the program doesn't crash. A proper test should verify that the function returns the expected result and that output fields are set correctly, especially since this is meant to test that the fix properly handles malformed input.

Copilot uses AI. Check for mistakes.

Copy link

Copilot AI Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Memory leak in the second test case. The test allocates memory for lf.log via strdup at line 52, but never frees it before the function returns. The cleanup section for test case 1 (lines 44-47) includes proper freeing, but test case 2 lacks this cleanup.

Suggested change
/* Cleanup Test Case 2 resources */
free(lf.log);
if (lf.full_log) {
free(lf.full_log);
}

Copilot uses AI. Check for mistakes.
return 0;
}
Comment on lines +16 to +62
Copy link

Copilot AI Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test file doesn't follow the established testing convention used in this codebase. All other test files in src/tests (test_os_crypto.c, test_os_net.c, test_os_regex.c, test_os_xml.c, test_os_zlib.c, test_shared.c) use the Check unit testing framework with START_TEST/END_TEST macros, test suites, and proper test runners. This regression test should be refactored to follow the same pattern for consistency.

Copilot uses AI. Check for mistakes.