git.ipfire.org Git - people/ms/suricata.git/commit

author	Mats Klepsland <mats.klepsland@gmail.com>
	Thu, 27 May 2021 10:02:55 +0000 (12:02 +0200)
committer	Victor Julien <victor@inliniac.net>
	Fri, 4 Jun 2021 08:37:35 +0000 (10:37 +0200)
commit	2a326421aa29154ebfaada3888974a634feb5f56
tree	c512a0a1491e9c5b30b712380dc154ffefe924da	tree
parent	f47e4375b3310554c13561efb2f382f04bd24340	commit \| diff

thresholds: Fix buffer overflow in threshold context

th_entry is resized using ThresholdHashRealloc() every time a rule with
a threshold using by_rule tracking is added. The problem is that this is
done before the rules are reordered, so occasionally a rule with by_rule
tracking gets a higher signature number (after reordering) than the
number of th_entries allocated, causing Suricata to crash.

This commit fixes this by allocating th_entries after all the rules are
loaded and reordered.

Backtrace from core dump:

  Program terminated with signal SIGSEGV, Segmentation fault.

  #0  0x000000000051b381 in ThresholdHandlePacket (p=p@entry=0x7fb0080f3960, lookup_tsh=0x51, new_tsh=new_tsh@entry=0x7fb016c316e0, td=td@entry=0x14adedf0, sid=9800979, gid=1, pa=0x7fb0080f3b18)
      at detect-engine-threshold.c:415
  415>----                if (TIMEVAL_DIFF_SEC(p->ts, lookup_tsh->tv1) < td->seconds) {

Bug #4503.

src/detect-engine-build.c		diff \| blob \| blame \| history
src/detect-engine-threshold.c		diff \| blob \| blame \| history
src/detect-engine-threshold.h		diff \| blob \| blame \| history
src/detect-threshold.c		diff \| blob \| blame \| history
src/util-threshold-config.c		diff \| blob \| blame \| history