From 7d0851b0c2ee105e812ee5a2b92a3613d5dcfc1c Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Tue, 4 Jul 2023 20:42:23 +0200
Subject: [PATCH] detect: create more strict rule validation

Don't allow control characters other than LF, CR, TAB.
---
 src/detect-parse.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/src/detect-parse.c b/src/detect-parse.c
index 2c7d8f2ec6..152a821c56 100644
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -1320,6 +1320,22 @@ error:
     return -1;
 }
 
+static inline bool CheckAscii(const char *str)
+{
+    for (size_t i = 0; i < strlen(str); i++) {
+        if (str[i] < 0x20) {
+            // LF CR TAB
+            if (str[i] == 0x0a || str[i] == 0x0d || str[i] == 0x09) {
+                continue;
+            }
+            return false;
+        } else if (str[i] == 0x7f) {
+            return false;
+        }
+    }
+    return true;
+}
+
 /**
  *  \brief parse a signature
  *
@@ -1341,6 +1357,11 @@ static int SigParse(DetectEngineCtx *de_ctx, Signature *s,
         SCReturnInt(-1);
     }
 
+    if (!CheckAscii(sigstr)) {
+        SCLogError("rule contains invalid (control) characters");
+        SCReturnInt(-1);
+    }
+
     s->sig_str = SCStrdup(sigstr);
     if (unlikely(s->sig_str == NULL)) {
         SCReturnInt(-1);