DetectGidSet - safer stripping of quotes.

Discovered by AFL when using a rule like: alert tcp any any -> any any (content:"ABC"; gid:";) resulting a negative array index.
10 years ago · 8911b04077
parent da88b3b787
commit 8911b04077
1 changed files with 34 additions and 6 deletions
--- a/src/detect-gid.c
+++ b/src/detect-gid.c
@ -71,13 +71,15 @@ static int DetectGidSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
    char *str = rawstr;
    char dubbed = 0;

-    /* strip "'s */
-    if (rawstr[0] == '\"' && rawstr[strlen(rawstr)-1] == '\"') {
-        str = SCStrdup(rawstr+1);
-        if (unlikely(str == NULL))
+    /* Strip leading and trailing "s. */
+    if (rawstr[0] == '\"') {
+        str = SCStrdup(rawstr + 1);
+        if (unlikely(str == NULL)) {
            return -1;
-
-        str[strlen(rawstr)-2] = '\0';
+        }
+        if (strlen(str) && str[strlen(str) - 1] == '\"') {
+            str[strlen(str) - 1] = '\"';
+        }
        dubbed = 1;
    }

@ -160,6 +162,31 @@ end:
        DetectEngineCtxFree(de_ctx);
    return result;
 }
+
+/**
+ * \test Test a gid consisting of a single quote.
+ *
+ * \retval 1 on succces
+ * \retval 0 on failure
+ */
+static int GidTestParse03 (void)
+{
+    int result = 0;
+
+    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+    if (de_ctx == NULL)
+        goto end;
+
+    if (DetectEngineAppendSig(de_ctx,
+            "alert tcp any any -> any any (content:\"ABC\"; gid:\";)") != NULL)
+        goto end;
+
+    result = 1;
+end:
+    if (de_ctx != NULL)
+        DetectEngineCtxFree(de_ctx);
+    return result;
+}
 #endif /* UNITTESTS */

 /**
@ -170,5 +197,6 @@ void GidRegisterTests(void)
 #ifdef UNITTESTS
    UtRegisterTest("GidTestParse01", GidTestParse01, 1);
    UtRegisterTest("GidTestParse02", GidTestParse02, 1);
+    UtRegisterTest("GidTestParse03", GidTestParse03, 1);
 #endif /* UNITTESTS */
 }