signature: fixes leak with duplicate signatures

6 years ago · c775a4af43
parent 63deb8862f
commit c775a4af43
2 changed files with 67 additions and 0 deletions
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@ -2184,6 +2184,18 @@ static inline int DetectEngineSignatureIsDuplicate(DetectEngineCtx *de_ctx,
    sw_dup->s = sig;
    sw_dup->s_prev = NULL;

+    if (de_ctx->sig_list != NULL) {
+        SigDuplWrapper sw_tmp;
+        memset(&sw_tmp, 0, sizeof(SigDuplWrapper));
+        sw_tmp.s = de_ctx->sig_list;
+        SigDuplWrapper *sw_old = HashListTableLookup(de_ctx->dup_sig_hash_table,
+                                                     (void *)&sw_tmp, 0);
+        if (sw_old->s != sw_dup->s) {
+            // Link on top of the list if there was another element
+            sw_old->s_prev = sig;
+        }
+    }
+
    /* this is duplicate, but a duplicate that replaced the existing sig entry */
    ret = 2;

@ -4010,9 +4022,16 @@ static int SigParseBidirWithSameSrcAndDest02(void)

 #endif /* UNITTESTS */

+#ifdef UNITTESTS
+void DetectParseRegisterTests (void);
+#include "tests/detect-parse.c"
+#endif
+
 void SigParseRegisterTests(void)
 {
 #ifdef UNITTESTS
+    DetectParseRegisterTests();
+
    UtRegisterTest("SigParseTest01", SigParseTest01);
    UtRegisterTest("SigParseTest02", SigParseTest02);
    UtRegisterTest("SigParseTest03", SigParseTest03);
--- a/src/tests/detect-parse.c
+++ b/src/tests/detect-parse.c
@ -0,0 +1,48 @@
+
+/* Copyright (C) 2007-2019 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#include "../detect-parse.h"
+#include "../util-unittest.h"
+
+/**
+ * \test DetectParseTest01 is a regression test against a memory leak
+ * in the case of multiple signatures with different revisions
+ * Leak happened in function DetectEngineSignatureIsDuplicate
+ */
+
+static int DetectParseTest01 (void)
+{
+    DetectEngineCtx * de_ctx = DetectEngineCtxInit();
+    FAIL_IF(DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:\"sid 1 version 0\"; content:\"dummy1\"; sid:1;)") == NULL);
+    DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:\"sid 2 version 0\"; content:\"dummy2\"; sid:2;)");
+    DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:\"sid 1 version 1\"; content:\"dummy1.1\"; sid:1; rev:1;)");
+    DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:\"sid 2 version 2\"; content:\"dummy2.1\"; sid:2; rev:1;)");
+    FAIL_IF(de_ctx->sig_list->next == NULL);
+    DetectEngineCtxFree(de_ctx);
+
+    PASS;
+}
+
+
+/**
+ * \brief this function registers unit tests for DetectParse
+ */
+void DetectParseRegisterTests(void)
+{
+    UtRegisterTest("DetectParseTest01", DetectParseTest01);
+}