|
|
|
|
/* OFFSET part of the detection engine. */
|
|
|
|
|
|
|
|
|
|
#include "suricata-common.h"
|
|
|
|
|
|
|
|
|
|
#include "decode.h"
|
|
|
|
|
#include "detect.h"
|
|
|
|
|
#include "flow-var.h"
|
|
|
|
|
|
|
|
|
|
#include "detect-content.h"
|
|
|
|
|
#include "detect-pcre.h"
|
|
|
|
|
|
|
|
|
|
#include "util-debug.h"
|
|
|
|
|
|
|
|
|
|
int DetectOffsetSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *offsetstr);
|
|
|
|
|
|
|
|
|
|
void DetectOffsetRegister (void) {
|
|
|
|
|
sigmatch_table[DETECT_OFFSET].name = "offset";
|
|
|
|
|
sigmatch_table[DETECT_OFFSET].Match = NULL;
|
|
|
|
|
sigmatch_table[DETECT_OFFSET].Setup = DetectOffsetSetup;
|
|
|
|
|
sigmatch_table[DETECT_OFFSET].Free = NULL;
|
|
|
|
|
sigmatch_table[DETECT_OFFSET].RegisterTests = NULL;
|
|
|
|
|
|
|
|
|
|
sigmatch_table[DETECT_OFFSET].flags |= SIGMATCH_PAYLOAD;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int DetectOffsetSetup (DetectEngineCtx *de_ctx, Signature *s, SigMatch *m, char *offsetstr)
|
|
|
|
|
{
|
|
|
|
|
char *str = offsetstr;
|
|
|
|
|
char dubbed = 0;
|
|
|
|
|
|
|
|
|
|
//printf("DetectOffsetSetup: s->match:%p,m:%p,offsetstr:\'%s\'\n", s->match, m, offsetstr);
|
|
|
|
|
|
|
|
|
|
/* strip "'s */
|
|
|
|
|
if (offsetstr[0] == '\"' && offsetstr[strlen(offsetstr)-1] == '\"') {
|
|
|
|
|
str = strdup(offsetstr+1);
|
|
|
|
|
str[strlen(offsetstr)-2] = '\0';
|
|
|
|
|
dubbed = 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** Search for the first previous DetectContent
|
|
|
|
|
* SigMatch (it can be the same as this one) */
|
|
|
|
|
SigMatch *pm = DetectContentFindPrevApplicableSM(m);
|
|
|
|
|
if (pm == NULL) {
|
|
|
|
|
SCLogError(SC_ERR_OFFSET_MISSING_CONTENT, "offset needs a preceeding content option");
|
Memory leak cleanup in detectors
Hello,
I ran the code through an analysis program and found several leaks that
should be cleaned up.
*In src/detect-engine-address-ipv4.c at line 472, the test for ag == NULL
will never be true since that is the loop entry test.
*In src/detect-engine-port.c at line 1133, the test for p == NULL will
never be true since that is the loop entry test.
*In src/detect-engine-mpm.c at line 263 is a return without freeing
fast_pattern
*In src/detect-ack.c at line 80 and 85, data catches the return from malloc.
One of them should be deleted.
*In src/detect-seq.c at line 81 and 86, data catches the return from malloc.
One of them should be deleted.
*In src/detect-content.c at line 749, many of the paths that lead to the error
exit still has temp pointing to allocated memory. To clean this up, temp
should be set to NULL if not immediately assigning and new value.
*In src/detect-uricontent.c at line 319, both cd and str needto be freed. At
lines 344, str needs to be freed. And at line 347 str and temp need to be
freed.
*In src/detect-flowbits.c at line 231 and 235, str was not being freed. cd was
not being freed at line 235.
*In src/detect-flowvar.c at line 127, str was not being freed. At line 194, cd
and str were not being freed.
*In src/detect-flowint.c at line 277, sfd was not being freed. At line 315, str
was not being freed.
*In src/detect-pktvar.c at line 121, str was not being freed. At line 188, str
and cd was not being freed.
*In src/detect-pcre.c at line 389, there is an extra free of "re" that should
be deleted.
*In src/detect-depth.c at line 42 & 48, str has not been freed.
*In src/detect-distance.c at line 49 and 55, str has not been freed
*In src/detect-offset.c at line 45, str has not been freed.
The patch below fixes these issues.
-Steve
16 years ago
|
|
|
if (dubbed) free(str);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DetectContentData *cd = (DetectContentData *)pm->ctx;
|
|
|
|
|
if (cd == NULL) {
|
|
|
|
|
SCLogError(SC_ERR_INVALID_ARGUMENT, "invalid argument");
|
Memory leak cleanup in detectors
Hello,
I ran the code through an analysis program and found several leaks that
should be cleaned up.
*In src/detect-engine-address-ipv4.c at line 472, the test for ag == NULL
will never be true since that is the loop entry test.
*In src/detect-engine-port.c at line 1133, the test for p == NULL will
never be true since that is the loop entry test.
*In src/detect-engine-mpm.c at line 263 is a return without freeing
fast_pattern
*In src/detect-ack.c at line 80 and 85, data catches the return from malloc.
One of them should be deleted.
*In src/detect-seq.c at line 81 and 86, data catches the return from malloc.
One of them should be deleted.
*In src/detect-content.c at line 749, many of the paths that lead to the error
exit still has temp pointing to allocated memory. To clean this up, temp
should be set to NULL if not immediately assigning and new value.
*In src/detect-uricontent.c at line 319, both cd and str needto be freed. At
lines 344, str needs to be freed. And at line 347 str and temp need to be
freed.
*In src/detect-flowbits.c at line 231 and 235, str was not being freed. cd was
not being freed at line 235.
*In src/detect-flowvar.c at line 127, str was not being freed. At line 194, cd
and str were not being freed.
*In src/detect-flowint.c at line 277, sfd was not being freed. At line 315, str
was not being freed.
*In src/detect-pktvar.c at line 121, str was not being freed. At line 188, str
and cd was not being freed.
*In src/detect-pcre.c at line 389, there is an extra free of "re" that should
be deleted.
*In src/detect-depth.c at line 42 & 48, str has not been freed.
*In src/detect-distance.c at line 49 and 55, str has not been freed
*In src/detect-offset.c at line 45, str has not been freed.
The patch below fixes these issues.
-Steve
16 years ago
|
|
|
if (dubbed) free(str);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cd->offset = (uint32_t)atoi(str);
|
|
|
|
|
|
|
|
|
|
/* check if offset and depth make sense with the pattern len */
|
|
|
|
|
if (cd->depth != 0) {
|
|
|
|
|
if (cd->content_len + cd->offset > cd->depth) {
|
|
|
|
|
SCLogDebug("depth increased to %"PRIu32" to match pattern len and offset", cd->content_len + cd->offset);
|
|
|
|
|
cd->depth = cd->content_len + cd->offset;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** Propagate the modifiers through the first chunk
|
|
|
|
|
* (SigMatch) if we're dealing with chunks */
|
|
|
|
|
if (cd->flags & DETECT_CONTENT_IS_CHUNK)
|
|
|
|
|
DetectContentPropagateOffset(pm);
|
|
|
|
|
|
|
|
|
|
if (dubbed) free(str);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
