aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update handling negative offsets in byte_extract. Also improve validation in byte_extract to not extract values out of the buffer range

Browse Source
remotes/origin/master
Anoop Saldanha 13 years ago committed by Victor Julien
parent 18837dce92
commit 37f66e5f46
2 changed files with 95 additions and 2 deletions
Show Stats Download Patch File Download Diff File

31
src/detect-byte-extract.c
Unescape Escape View File

@ -77,7 +77,7 @@
#define PARSE_REGEX "^" \
"\\s*([0-9]+)\\s*" \
",\\s*([0-9]+)\\s*" \
",\\s*(-?[0-9]+)\\s*" \
",\\s*([^\\s,]+)\\s*" \
"(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
"(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
@ -175,7 +175,7 @@ int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, SigMatch *sm,
}
/* Validate that the to-be-extracted is within the packet */
if (data->nbytes > len) {
if (ptr < payload || data->nbytes > len) {
SCLogDebug("Data not within payload pkt=%p, ptr=%p, len=%"PRIu32", nbytes=%d",
payload, ptr, len, data->nbytes);
return 0;
@ -4757,6 +4757,32 @@ static int DetectByteExtractTest62(void)
return result;
}
int DetectByteExtractTest63(void)
{
int result = 0;
DetectByteExtractData *bed = DetectByteExtractParse("4, -2, one");
if (bed == NULL)
goto end;
if (bed->nbytes != 4 ||
bed->offset != -2 ||
strcmp(bed->name, "one") != 0 ||
bed->flags != 0 ||
bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
bed->align_value != 0 ||
bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
result = 1;
end:
if (bed != NULL)
DetectByteExtractFree(bed);
return result;
}
#endif /* UNITTESTS */
void DetectByteExtractRegisterTests(void)
@ -4832,6 +4858,7 @@ void DetectByteExtractRegisterTests(void)
UtRegisterTest("DetectByteExtractTest60", DetectByteExtractTest60, 1);
UtRegisterTest("DetectByteExtractTest61", DetectByteExtractTest61, 1);
UtRegisterTest("DetectByteExtractTest62", DetectByteExtractTest62, 1);
UtRegisterTest("DetectByteExtractTest63", DetectByteExtractTest63, 1);
#endif /* UNITTESTS */
return;

66
src/detect-engine-payload.c
Unescape Escape View File

@ -815,6 +815,70 @@ end:
return result;
}
/*
* \test Test negative byte extract.
*/
static int PayloadTestSig25(void)
{
uint8_t buf[] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
0x0E, 0x0F,
};
uint16_t buflen = sizeof(buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"|35 07 08 09|\"; "
"byte_extract:1,-4,one,string,dec,relative; "
"content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0) {
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/*
* \test Test negative byte extract.
*/
static int PayloadTestSig26(void)
{
uint8_t buf[] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
0x0E, 0x0F,
};
uint16_t buflen = sizeof(buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"|35 07 08 09|\"; "
"byte_extract:1,-3000,one,string,dec,relative; "
"content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
if (UTHPacketMatchSigMpm(p, sig, MPM_AC) != 0) {
result = 0;
goto end;
}
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
#endif /* UNITTESTS */
void PayloadRegisterTests(void) {
@ -844,6 +908,8 @@ void PayloadRegisterTests(void) {
UtRegisterTest("PayloadTestSig22", PayloadTestSig22, 1);
UtRegisterTest("PayloadTestSig23", PayloadTestSig23, 1);
UtRegisterTest("PayloadTestSig24", PayloadTestSig24, 1);
UtRegisterTest("PayloadTestSig25", PayloadTestSig25, 1);
UtRegisterTest("PayloadTestSig26", PayloadTestSig26, 1);
#endif /* UNITTESTS */
return;

Write Preview
Loading…
Cancel
Save