detect/frames: fix crash when parsing bad rule

Indexing of Signature::init_data::smlists would fail for a rule that used a frame w/o content, as the array would only be expanded when adding a content. Adding a check to see if there list id is in bounds is an implicit check for the "no content" case. Bug #5011.
4 years ago · e902aaf838
parent c6be6d2c6f
commit e902aaf838
1 changed files with 2 additions and 1 deletions
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@ -1672,7 +1672,8 @@ static int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
    /* check for sticky buffers that were set w/o matches
     * e.g. alert ... (file_data; sid:1;) */
    if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
-        if (s->init_data->smlists[s->init_data->list] == NULL) {
+        if (s->init_data->list >= (int)s->init_data->smlists_array_size ||
+                s->init_data->smlists[s->init_data->list] == NULL) {
            SCLogError(SC_ERR_INVALID_SIGNATURE,
                    "rule %u setup buffer %s but didn't add matches to it", s->id,
                    DetectEngineBufferTypeGetNameById(de_ctx, s->init_data->list));