From 9c5ee76455361feaac3fc7207ef40175c485f7d7 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Sat, 26 Mar 2016 12:05:50 +0100 Subject: [PATCH] tcp: fix unlikely NULL-ptr dereference If a TCP packet could not get a flow (flow engine out of flows/memory) and there were *only* TCP inspecting rules with the direction explicitly set to 'to_server', a NULL pointer deref could happen. PacketPatternSearchWithStreamCtx would fall through to the 'to_client' case which was not initialized. --- src/detect-engine-mpm.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index 5a21823ce8..9d1a9fc162 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -183,20 +183,25 @@ uint32_t PacketPatternSearchWithStreamCtx(DetectEngineThreadCtx *det_ctx, SCEnter(); uint32_t ret = 0; + MpmCtx *mpm_ctx = NULL; if (p->flowflags & FLOW_PKT_TOSERVER) { DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_stream_ctx_ts == NULL); - ret = mpm_table[det_ctx->sgh->mpm_stream_ctx_ts->mpm_type]. - Search(det_ctx->sgh->mpm_stream_ctx_ts, &det_ctx->mtc, &det_ctx->pmq, - p->payload, p->payload_len); + mpm_ctx = det_ctx->sgh->mpm_stream_ctx_ts; + } else { DEBUG_VALIDATE_BUG_ON(det_ctx->sgh->mpm_stream_ctx_tc == NULL); - ret = mpm_table[det_ctx->sgh->mpm_stream_ctx_tc->mpm_type]. - Search(det_ctx->sgh->mpm_stream_ctx_tc, &det_ctx->mtc, &det_ctx->pmq, - p->payload, p->payload_len); + mpm_ctx = det_ctx->sgh->mpm_stream_ctx_tc; } + if (unlikely(mpm_ctx == NULL)) { + SCReturnInt(0); + } + + ret = mpm_table[mpm_ctx->mpm_type]. + Search(mpm_ctx, &det_ctx->mtc, &det_ctx->pmq, + p->payload, p->payload_len); SCReturnInt(ret); }