detect: fix out of bounds write in thread space creation

diff --git a/src/detect-engine-filedata-smtp.c b/src/detect-engine-filedata-smtp.c
index f2790e4829e76f0d3c8109ff90770bb63663625f..39c874cab1d2d080c21e9ac96f8a0577fb1b8129 100644 (file)
--- a/src/detect-engine-filedata-smtp.c
+++ b/src/detect-engine-filedata-smtp.c
@@ -56,14 +56,19 @@
 #include "conf.h"
 #include "conf-yaml-loader.h"
 
-#define BUFFER_STEP 50
+#define BUFFER_GROW_STEP 50
 
-static inline int SMTPCreateSpace(DetectEngineThreadCtx *det_ctx, uint16_t size)
+static inline int SMTPCreateSpace(DetectEngineThreadCtx *det_ctx, uint64_t size)
 {
-    void *ptmp;
+    if (size >= (USHRT_MAX - BUFFER_GROW_STEP))
+        return -1;
+
     if (size > det_ctx->smtp_buffers_size) {
-        ptmp = SCRealloc(det_ctx->smtp,
-                         (det_ctx->smtp_buffers_size + BUFFER_STEP) * sizeof(FiledataReassembledBody));
+        uint16_t grow_by = size - det_ctx->smtp_buffers_size;
+        grow_by = MAX(grow_by, BUFFER_GROW_STEP);
+
+        void *ptmp = SCRealloc(det_ctx->smtp,
+                         (det_ctx->smtp_buffers_size + grow_by) * sizeof(FiledataReassembledBody));
         if (ptmp == NULL) {
             SCFree(det_ctx->smtp);
             det_ctx->smtp = NULL;
@@ -73,10 +78,11 @@ static inline int SMTPCreateSpace(DetectEngineThreadCtx *det_ctx, uint16_t size)
         }
         det_ctx->smtp = ptmp;
 
-        memset(det_ctx->smtp + det_ctx->smtp_buffers_size, 0, BUFFER_STEP * sizeof(FiledataReassembledBody));
-        det_ctx->smtp_buffers_size += BUFFER_STEP;
+        memset(det_ctx->smtp + det_ctx->smtp_buffers_size, 0, grow_by * sizeof(FiledataReassembledBody));
+        det_ctx->smtp_buffers_size += grow_by;
     }
-    for (int i = det_ctx->smtp_buffers_list_len; i < (size); i++) {
+    uint16_t i;
+    for (i = det_ctx->smtp_buffers_list_len; i < det_ctx->smtp_buffers_size; i++) {
         det_ctx->smtp[i].buffer_len = 0;
         det_ctx->smtp[i].offset = 0;
     }

diff --git a/src/detect-engine-hcbd.c b/src/detect-engine-hcbd.c
index 6d511b629a1b86d1ce2dd8fd86ec863fc37cb6cd..6dce727d66148564f7a8555cb87274ec0e71dab8 100644 (file)
--- a/src/detect-engine-hcbd.c
+++ b/src/detect-engine-hcbd.c
@@ -65,17 +65,19 @@
 
 #include "util-validate.h"
 
-#define BUFFER_STEP 50
+#define BUFFER_GROW_STEP 50
 
 static inline int HCBDCreateSpace(DetectEngineThreadCtx *det_ctx, uint64_t size)
 {
-    if (size >= (USHRT_MAX - BUFFER_STEP))
+    if (size >= (USHRT_MAX - BUFFER_GROW_STEP))
         return -1;
 
-    void *ptmp;
     if (size > det_ctx->hcbd_buffers_size) {
-        ptmp = SCRealloc(det_ctx->hcbd,
-                         (det_ctx->hcbd_buffers_size + BUFFER_STEP) * sizeof(HttpReassembledBody));
+        uint16_t grow_by = size - det_ctx->hcbd_buffers_size;
+        grow_by = MAX(grow_by, BUFFER_GROW_STEP);
+
+        void *ptmp = SCRealloc(det_ctx->hcbd,
+                         (det_ctx->hcbd_buffers_size + grow_by) * sizeof(HttpReassembledBody));
         if (ptmp == NULL) {
             SCFree(det_ctx->hcbd);
             det_ctx->hcbd = NULL;
@@ -85,11 +87,11 @@ static inline int HCBDCreateSpace(DetectEngineThreadCtx *det_ctx, uint64_t size)
         }
         det_ctx->hcbd = ptmp;
 
-        memset(det_ctx->hcbd + det_ctx->hcbd_buffers_size, 0, BUFFER_STEP * sizeof(HttpReassembledBody));
-        det_ctx->hcbd_buffers_size += BUFFER_STEP;
+        memset(det_ctx->hcbd + det_ctx->hcbd_buffers_size, 0, grow_by * sizeof(HttpReassembledBody));
+        det_ctx->hcbd_buffers_size += grow_by;
 
         uint16_t i;
-        for (i = det_ctx->hcbd_buffers_list_len; i < ((uint16_t)size); i++) {
+        for (i = det_ctx->hcbd_buffers_list_len; i < det_ctx->hcbd_buffers_size; i++) {
             det_ctx->hcbd[i].buffer_len = 0;
             det_ctx->hcbd[i].offset = 0;
         }

diff --git a/src/detect-engine-hsbd.c b/src/detect-engine-hsbd.c
index 778802a5d9fd797bd667915db9226ebb3abe0ca0..2355dd5befa7f9d9e4787f93c12cadf18743063f 100644 (file)
--- a/src/detect-engine-hsbd.c
+++ b/src/detect-engine-hsbd.c
@@ -66,17 +66,19 @@
 
 #include "util-validate.h"
 
-#define BUFFER_STEP 50
+#define BUFFER_GROW_STEP 50
 
 static inline int HSBDCreateSpace(DetectEngineThreadCtx *det_ctx, uint64_t size)
 {
-    if (size >= (USHRT_MAX - BUFFER_STEP))
+    if (size >= (USHRT_MAX - BUFFER_GROW_STEP))
         return -1;
 
-    void *ptmp;
     if (size > det_ctx->hsbd_buffers_size) {
-        ptmp = SCRealloc(det_ctx->hsbd,
-                         (det_ctx->hsbd_buffers_size + BUFFER_STEP) * sizeof(HttpReassembledBody));
+        uint16_t grow_by = size - det_ctx->hsbd_buffers_size;
+        grow_by = MAX(grow_by, BUFFER_GROW_STEP);
+
+        void *ptmp = SCRealloc(det_ctx->hsbd,
+                         (det_ctx->hsbd_buffers_size + grow_by) * sizeof(HttpReassembledBody));
         if (ptmp == NULL) {
             SCFree(det_ctx->hsbd);
             det_ctx->hsbd = NULL;
@@ -86,11 +88,11 @@ static inline int HSBDCreateSpace(DetectEngineThreadCtx *det_ctx, uint64_t size)
         }
         det_ctx->hsbd = ptmp;
 
-        memset(det_ctx->hsbd + det_ctx->hsbd_buffers_size, 0, BUFFER_STEP * sizeof(HttpReassembledBody));
-        det_ctx->hsbd_buffers_size += BUFFER_STEP;
+        memset(det_ctx->hsbd + det_ctx->hsbd_buffers_size, 0, grow_by * sizeof(HttpReassembledBody));
+        det_ctx->hsbd_buffers_size += grow_by;
     }
     uint16_t i;
-    for (i = det_ctx->hsbd_buffers_list_len; i < ((uint16_t)size); i++) {
+    for (i = det_ctx->hsbd_buffers_list_len; i < det_ctx->hsbd_buffers_size; i++) {
         det_ctx->hsbd[i].buffer_len = 0;
         det_ctx->hsbd[i].offset = 0;
     }