Skip to content

netstat: add cycle detection to Next pointer walk#1997

Open
TristanInSec wants to merge 1 commit into
volatilityfoundation:developfrom
TristanInSec:fix/netstat-cycle-detection
Open

netstat: add cycle detection to Next pointer walk#1997
TristanInSec wants to merge 1 commit into
volatilityfoundation:developfrom
TristanInSec:fix/netstat-cycle-detection

Conversation

@TristanInSec

@TristanInSec TristanInSec commented Jun 18, 2026

Copy link
Copy Markdown

Summary

The enumerate_structures_by_port method walks a singly-linked list of network objects via the Next field without checking for cycles. A memory dump containing a self-referential Next pointer causes the plugin to loop indefinitely.

This adds a seen_addresses set to detect and break cycles, consistent with existing cycle detection patterns in the codebase:

  • LIST_ENTRY.to_list() uses a seen set
  • pidhashtable._walk_upid() uses seen_upids
  • pagecache._walk_dentry() uses seen_dentries

Change

One file, +9 lines. A seen_addresses set tracks visited pointer values. If a previously seen address is encountered, the walk logs a warning and stops.

@TristanInSec
netstat: add cycle detection to Next pointer walk
892ba78 
The enumerate_structures_by_port method walks a singly-linked list
of TCP_LISTENER/UDP_ENDPOINT objects via the Next field without
checking for cycles. A memory dump with a self-referential Next
pointer causes an infinite loop.

Add a seen_addresses set to detect and break cycles, consistent
with cycle detection in LIST_ENTRY.to_list, pidhashtable._walk_upid,
and pagecache._walk_dentry.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TristanInSec