From 496f30a5e4417a7aa0c9b587d662702b287fa975 Mon Sep 17 00:00:00 2001 From: Anoop Saldanha Date: Tue, 24 Sep 2013 13:26:45 +0530 Subject: [PATCH] fix for bug #970(ac-bs). Content strings that are a duplicate of a pattern from another sig, but have a fast_pattern chop being applied, would end up being assigned the same pattern id as the duplicate string. But the string supplied to the mpm would be the chopped string, which might result in the state_table output_state content entry being over-riden by the the fuller string at the final state of the smaller content length, because of which during a match we might end up inspecting the search buffer against the fuller content pattern, instead of the chopped pattern, which would end up being an inspection beyond the buffer bounds. --- src/util-mpm-ac-bs.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/util-mpm-ac-bs.c b/src/util-mpm-ac-bs.c index 0d36a93793..c42874e39d 100644 --- a/src/util-mpm-ac-bs.c +++ b/src/util-mpm-ac-bs.c @@ -1500,6 +1500,8 @@ uint32_t SCACBSSearch(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, uint32_t k; for (k = 0; k < no_of_entries; k++) { if (pids[k] & 0xFFFF0000) { + if ((i + 1) < pid_pat_list[pids[k] & 0x0000FFFF].patlen) + continue; if (SCMemcmp(pid_pat_list[pids[k] & 0x0000FFFF].cs, buf + i - pid_pat_list[pids[k] & 0x0000FFFF].patlen + 1, pid_pat_list[pids[k] & 0x0000FFFF].patlen) != 0) { @@ -1583,6 +1585,8 @@ uint32_t SCACBSSearch(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, uint32_t k; for (k = 0; k < no_of_entries; k++) { if (pids[k] & 0xFFFF0000) { + if ((i + 1) < pid_pat_list[pids[k] & 0x0000FFFF].patlen) + continue; if (SCMemcmp(pid_pat_list[pids[k] & 0x0000FFFF].cs, buf + i - pid_pat_list[pids[k] & 0x0000FFFF].patlen + 1, pid_pat_list[pids[k] & 0x0000FFFF].patlen) != 0) {