detect/classtype: check size of rule input

author Victor Julien <victor@inliniac.net>

Wed, 2 Oct 2019 08:30:48 +0000 (10:30 +0200)

committer Victor Julien <victor@inliniac.net>

Tue, 8 Oct 2019 18:31:09 +0000 (20:31 +0200)
author Victor Julien <victor@inliniac.net>
Wed, 2 Oct 2019 08:30:48 +0000 (10:30 +0200)
committer Victor Julien <victor@inliniac.net>
Tue, 8 Oct 2019 18:31:09 +0000 (20:31 +0200)
diff --git a/src/detect-classtype.c b/src/detect-classtype.c

index aadf8f9c9dbf57b2e56acfc259a46ac40220e7aa..35a9be2ead93a72d9be55d7a94e3077d19621070 100644 (file)
--- a/src/detect-classtype.c
+++ b/src/detect-classtype.c
@@ -71,18 +71,28 @@ static int DetectClasstypeParseRawString(const char *rawstr, char *out, size_t o
      int ov[MAX_SUBSTRINGS];
      size_t len = strlen(rawstr);
  
+    const size_t esize = CLASSTYPE_NAME_MAX_LEN + 8;
+    char e[esize];
+
      int ret = pcre_exec(regex, regex_study, rawstr, len, 0, 0, ov, 30);
      if (ret < 0) {
          SCLogError(SC_ERR_PCRE_MATCH, "Invalid Classtype in Signature");
          return -1;
      }
  
-    ret = pcre_copy_substring((char *)rawstr, ov, 30, 1, out, outsize);
+    ret = pcre_copy_substring((char *)rawstr, ov, 30, 1, e, esize);
      if (ret < 0) {
          SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
          return -1;
      }
  
+    if (strlen(e) >= CLASSTYPE_NAME_MAX_LEN) {
+        SCLogError(SC_ERR_INVALID_VALUE, "classtype '%s' is too big: max %d",
+                rawstr, CLASSTYPE_NAME_MAX_LEN - 1);
+        return -1;
+    }
+    (void)strlcpy(out, e, outsize);
+
      return 0;
  }
author	Victor Julien <victor@inliniac.net>
	Wed, 2 Oct 2019 08:30:48 +0000 (10:30 +0200)
committer	Victor Julien <victor@inliniac.net>
	Tue, 8 Oct 2019 18:31:09 +0000 (20:31 +0200)