flowbits: validate that there are no spaces in the name

Fixes issue: https://redmine.openinfosecfoundation.org/issues/1889

To catch the issue where the ';' is missing we have to expand the
regex to capture the whole name string, not just the leading
valid stuff. Then verify that there are no spaces in the name
(Snort has the same restriction) and fail if there is.

diff --git a/src/detect-flowbits.c b/src/detect-flowbits.c
index 9752f03e8bd5f18092e901842b083db30f059e10..5100f7f998a9422d4a1b9abf4f2f910cd176aa3b 100644 (file)
--- a/src/detect-flowbits.c
+++ b/src/detect-flowbits.c
@@ -45,7 +45,7 @@
 #include "util-unittest.h"
 #include "util-debug.h"
 
-#define PARSE_REGEX         "([a-z]+)(?:,\\s*([^\\s]*))?"
+#define PARSE_REGEX         "([a-z]+)(?:,\\s*(.*))?"
 static pcre *parse_regex;
 static pcre_extra *parse_regex_study;
 
@@ -182,6 +182,20 @@ static int DetectFlowbitParse(char *str, char *cmd, int cmd_len, char *name,
             SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
             return 0;
         }
+
+        /* Trim trailing whitespace. */
+        while (strlen(name) > 0 && isblank(name[strlen(name) - 1])) {
+            name[strlen(name) - 1] = '\0';
+        }
+
+        /* Validate name, spaces are not allowed. */
+        for (size_t i = 0; i < strlen(name); i++) {
+            if (isblank(name[i])) {
+                SCLogError(SC_ERR_INVALID_SIGNATURE,
+                    "spaces not allowed in flowbit names");
+                return 0;
+            }
+        }
     }
 
     return 1;
@@ -324,6 +338,10 @@ static int FlowBitsTestParse01(void)
     FAIL_IF(strcmp(command, "set") != 0);
     FAIL_IF(strcmp(name, "flowbit") != 0);
 
+    /* Spaces are not allowed in the name. */
+    FAIL_IF(DetectFlowbitParse("set,namewith space", command, sizeof(command),
+            name, sizeof(name)));
+
     PASS;
 }