detect: avoids memory leak on ja3 signature parsing

If a later keyword enforces a protocol incompatible with ja3

diff --git a/src/detect-parse.c b/src/detect-parse.c
index d316be6db86623e46f1cadd2cba70d489a83084b..b6dbc8bb348d56a24ae076998e7e308621887849 100644 (file)
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -1912,6 +1912,12 @@ static int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
     }
 #endif
 
+    if (s->init_data->init_flags & SIG_FLAG_INIT_JA3 && s->alproto != ALPROTO_UNKNOWN &&
+            s->alproto != ALPROTO_TLS && s->alproto != ALPROTO_QUIC) {
+        SCLogError(SC_ERR_INVALID_SIGNATURE, "Cannot have ja3 with protocol %s.",
+                AppProtoToString(s->alproto));
+        SCReturnInt(0);
+    }
     if ((s->flags & SIG_FLAG_FILESTORE) || s->file_flags != 0 ||
         (s->init_data->init_flags & SIG_FLAG_INIT_FILEDATA)) {
         if (s->alproto != ALPROTO_UNKNOWN &&

diff --git a/src/detect-tls-ja3-hash.c b/src/detect-tls-ja3-hash.c
index aa9bd95856c751cf1270ecdb63c48fbb8c15ad50..3d4319359424f6ddb5dfaf0d5fe61553bba58fb8 100644 (file)
--- a/src/detect-tls-ja3-hash.c
+++ b/src/detect-tls-ja3-hash.c
@@ -135,6 +135,7 @@ static int DetectTlsJa3HashSetup(DetectEngineCtx *de_ctx, Signature *s, const ch
         }
         return -2;
     }
+    s->init_data->init_flags |= SIG_FLAG_INIT_JA3;
 
     return 0;
 }

diff --git a/src/detect-tls-ja3-string.c b/src/detect-tls-ja3-string.c
index 33a8173fd7044bbc0aa41e379371d3999781ff28..3c660bb71182a4e22a1df70f9f8d4973c34449b3 100644 (file)
--- a/src/detect-tls-ja3-string.c
+++ b/src/detect-tls-ja3-string.c
@@ -124,6 +124,7 @@ static int DetectTlsJa3StringSetup(DetectEngineCtx *de_ctx, Signature *s, const
         }
         return -2;
     }
+    s->init_data->init_flags |= SIG_FLAG_INIT_JA3;
 
     return 0;
 }

diff --git a/src/detect-tls-ja3s-hash.c b/src/detect-tls-ja3s-hash.c
index 92c811b2ceb1ad6b3c5a378325e9bf7e133ef2b0..63bec7a06bf8675dc487572f8c95562aa8f434bb 100644 (file)
--- a/src/detect-tls-ja3s-hash.c
+++ b/src/detect-tls-ja3s-hash.c
@@ -133,6 +133,7 @@ static int DetectTlsJa3SHashSetup(DetectEngineCtx *de_ctx, Signature *s, const c
         }
         return -2;
     }
+    s->init_data->init_flags |= SIG_FLAG_INIT_JA3;
 
     return 0;
 }

diff --git a/src/detect-tls-ja3s-string.c b/src/detect-tls-ja3s-string.c
index d104cdfd76fe298049f00c128795d7fe4dbef935..d19bef5c5163b8daa02c8e1145d65e8e3656a0c7 100644 (file)
--- a/src/detect-tls-ja3s-string.c
+++ b/src/detect-tls-ja3s-string.c
@@ -124,6 +124,7 @@ static int DetectTlsJa3SStringSetup(DetectEngineCtx *de_ctx, Signature *s, const
         }
         return -2;
     }
+    s->init_data->init_flags |= SIG_FLAG_INIT_JA3;
 
     return 0;
 }

diff --git a/src/detect.h b/src/detect.h
index 7f7021e9a935b1d617e2f0bda6dd98b9b2055a17..bf510cb18a24be358b12ce4191da335846e7c62a 100644 (file)
--- a/src/detect.h
+++ b/src/detect.h
@@ -255,6 +255,7 @@ typedef struct DetectPort_ {
 #define SIG_FLAG_INIT_NEED_FLUSH            BIT_U32(7)
 #define SIG_FLAG_INIT_PRIO_EXPLICT          BIT_U32(8)  /**< priority is explicitly set by the priority keyword */
 #define SIG_FLAG_INIT_FILEDATA              BIT_U32(9)  /**< signature has filedata keyword */
+#define SIG_FLAG_INIT_JA3                   BIT_U32(10) /**< signature has ja3 keyword */
 
 /* signature mask flags */
 /** \note: additions should be added to the rule analyzer as well */