Pull request #3904: ips_options: add gadget check for vba_data

author Andrii Serbeniuk -X (aserbeni - SOFTSERVE INC at Cisco) <aserbeni@cisco.com>

Mon, 10 Jul 2023 11:42:27 +0000 (11:42 +0000)

committer Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) <oshumeik@cisco.com>

Mon, 10 Jul 2023 11:42:27 +0000 (11:42 +0000)
author Andrii Serbeniuk -X (aserbeni - SOFTSERVE INC at Cisco) <aserbeni@cisco.com>
Mon, 10 Jul 2023 11:42:27 +0000 (11:42 +0000)
committer Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) <oshumeik@cisco.com>
Mon, 10 Jul 2023 11:42:27 +0000 (11:42 +0000)
diff --git a/src/ips_options/dev_notes.txt b/src/ips_options/dev_notes.txt

index b3efb7f99699b5e731588fab36d104b289dcc897..5a85f9bb39ed15a713c464c88c33baf6d227b27d 100644 (file)
--- a/src/ips_options/dev_notes.txt
+++ b/src/ips_options/dev_notes.txt
@@ -6,6 +6,12 @@ however, such as content, are still tightly coupled with the code and can
  only be built statically.  The code will hopefully evolve and eliminate
  these cases.
  
+IPS options are not guaranteed to get all they need for evaluation. For example,
+a packet may not have a flow assigned to it, or the flow may not have a gadget
+present. Not all options need specific inputs, so, if one does, that option should
+validate input values.
+Service-only options may not be guaranteed to get a gadget on the flow.
+
  Several options use RangeCheck to implement upper and/or lower bound
  semantics.  The Snort 2X options had various implementations of ranges so
  3X differs in some places.
diff --git a/src/ips_options/ips_vba_data.cc b/src/ips_options/ips_vba_data.cc

index 73e7ffd760d2da434d8669797f41d9e4feb2aa50..d536168b3ca0b7017b40399b7705a6129b00c9a3 100644 (file)
--- a/src/ips_options/ips_vba_data.cc
+++ b/src/ips_options/ips_vba_data.cc
@@ -39,6 +39,9 @@ IpsOption::EvalStatus VbaDataOption::eval(Cursor& c, Packet* p)
  {
      RuleProfile profile(vbaDataPerfStats);
  
+    if (!p->flow or !p->flow->gadget)
+        return NO_MATCH;
+
      InspectionBuffer buf;
      if (!p->flow->gadget->get_fp_buf(buf.IBT_VBA, p, buf)) 
          return NO_MATCH;
@@ -147,3 +150,37 @@ const BaseApi* ips_vba_data[] =
      nullptr
  };
  
+//-------------------------------------------------------------------------
+// UNIT TESTS
+//-------------------------------------------------------------------------
+#ifdef UNIT_TEST
+
+#include "catch/snort_catch.h"
+
+TEST_CASE("vba_data test", "[ips_vba_data]")
+{
+    VbaDataOption vba_data_opt;
+    Packet p;
+    p.data = (const uint8_t*) "foo";
+    p.dsize = strlen((const char*) p.data);
+
+    SECTION("null flow")
+    {
+        p.flow = nullptr;
+
+        Cursor c(&p);
+        REQUIRE(vba_data_opt.eval(c, &p) == IpsOption::NO_MATCH);
+    }
+
+    SECTION("null gadget")
+    {
+        Flow f;
+        p.flow = &f;
+        p.flow->gadget = nullptr;
+
+        Cursor c(&p);
+        REQUIRE(vba_data_opt.eval(c, &p) == IpsOption::NO_MATCH);
+    }
+}
+
+#endif
author	Andrii Serbeniuk -X (aserbeni - SOFTSERVE INC at Cisco) <aserbeni@cisco.com>
	Mon, 10 Jul 2023 11:42:27 +0000 (11:42 +0000)
committer	Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) <oshumeik@cisco.com>
	Mon, 10 Jul 2023 11:42:27 +0000 (11:42 +0000)
src/ips_options/dev_notes.txt		patch \| blob \| blame \| history
src/ips_options/ips_vba_data.cc		patch \| blob \| blame \| history