detect: null sanity checks for pkthdr

Even when the rules are only applied on traffic with the protocol
the structure for the protocol header can be set to NULL if there
was an error parsing the header

diff --git a/src/detect-icmpv6hdr.c b/src/detect-icmpv6hdr.c
index f8dbf7f6cefee4286d577ea707898c1abf75caac..ffe9595aa98d5df939b34e0875e2d96dbd1ba971 100644 (file)
--- a/src/detect-icmpv6hdr.c
+++ b/src/detect-icmpv6hdr.c
@@ -32,6 +32,7 @@
 #include "detect-engine-content-inspection.h"
 #include "detect-fast-pattern.h"
 #include "detect-icmpv6hdr.h"
+#include "util-validate.h"
 
 /* prototypes */
 static int DetectICMPv6hdrSetup (DetectEngineCtx *, Signature *, const char *);
@@ -104,6 +105,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
     InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
     if (buffer->inspect == NULL) {
         uint32_t hlen = ICMPV6_HEADER_LEN;
+        DEBUG_VALIDATE_BUG_ON(p->icmpv6h == NULL);
         if (((uint8_t *)p->icmpv6h + (ptrdiff_t)hlen) >
                 ((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p)))
         {

diff --git a/src/detect-ipv4hdr.c b/src/detect-ipv4hdr.c
index f963cd1a4876d1806460176e8204ed0426d20bd2..87b29c5aefd0e3306907909181c4f128c5348ec8 100644 (file)
--- a/src/detect-ipv4hdr.c
+++ b/src/detect-ipv4hdr.c
@@ -100,6 +100,10 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
 
     InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
     if (buffer->inspect == NULL) {
+        if (p->ip4h == NULL) {
+            // DETECT_PROTO_IPV4 does not prefilter
+            return NULL;
+        }
         uint32_t hlen = IPV4_GET_HLEN(p);
         if (((uint8_t *)p->ip4h + (ptrdiff_t)hlen) >
                 ((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p)))

diff --git a/src/detect-ipv6hdr.c b/src/detect-ipv6hdr.c
index 8accf9a958e81ea55609a426c0d7134ecbfb9116..e5592234205ab93960e5e1792ed5e7c15ad7f50d 100644 (file)
--- a/src/detect-ipv6hdr.c
+++ b/src/detect-ipv6hdr.c
@@ -100,6 +100,10 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
 
     InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
     if (buffer->inspect == NULL) {
+        if (p->ip6h == NULL) {
+            // DETECT_PROTO_IPV6 does not prefilter
+            return NULL;
+        }
         uint32_t hlen = IPV6_HEADER_LEN + IPV6_GET_EXTHDRS_LEN(p);
         if (((uint8_t *)p->ip6h + (ptrdiff_t)hlen) >
                 ((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p)))

diff --git a/src/detect-tcphdr.c b/src/detect-tcphdr.c
index 30a3c828fd74020e970b482998ccb48c2390f683..3b0cde3f318a376294b922956b2399da5b944a56 100644 (file)
--- a/src/detect-tcphdr.c
+++ b/src/detect-tcphdr.c
@@ -101,6 +101,11 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
 
     InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
     if (buffer->inspect == NULL) {
+        if (p->tcph == NULL) {
+            // may happen when DecodeTCPPacket fails
+            // for instance with invalid header length
+            return NULL;
+        }
         uint32_t hlen = TCP_GET_HLEN(p);
         if (((uint8_t *)p->tcph + (ptrdiff_t)hlen) >
                 ((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p)))

diff --git a/src/detect-udphdr.c b/src/detect-udphdr.c
index 6054193f96640f0a63029b927edd2f6186b48aec..a8900048bea4f290fe9240e58f060f935bb597f5 100644 (file)
--- a/src/detect-udphdr.c
+++ b/src/detect-udphdr.c
@@ -99,6 +99,9 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
 
     InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
     if (buffer->inspect == NULL) {
+        if (p->udph == NULL) {
+            return NULL;
+        }
         if (((uint8_t *)p->udph + (ptrdiff_t)UDP_HEADER_LEN) >
                 ((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p)))
         {