detect/flowbits: fix stack overflow in analyzer

author Antti Tönkyrä <daedalus@pingtimeout.net>

Fri, 26 Jun 2020 10:37:45 +0000 (10:37 +0000)

committer Victor Julien <victor@inliniac.net>

Mon, 6 Jul 2020 09:43:49 +0000 (11:43 +0200)
author Antti Tönkyrä <daedalus@pingtimeout.net>
Fri, 26 Jun 2020 10:37:45 +0000 (10:37 +0000)
committer Victor Julien <victor@inliniac.net>
Mon, 6 Jul 2020 09:43:49 +0000 (11:43 +0200)
diff --git a/src/detect-engine-build.c b/src/detect-engine-build.c

index 71253ca3ce28e7ec42c8bfbd50446ebf1d8457d1..36edfcdba5d0ff5ffbae411c79f8441d765f1cf2 100644 (file)
--- a/src/detect-engine-build.c
+++ b/src/detect-engine-build.c
@@ -1418,7 +1418,9 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx)
          SCLogConfig("building signature grouping structure, stage 1: "
                 "preprocessing rules... complete");
      }
-    DetectFlowbitsAnalyze(de_ctx);
+
+    if (DetectFlowbitsAnalyze(de_ctx) != 0)
+        goto error;
  
      return 0;
  
diff --git a/src/detect-flowbits.c b/src/detect-flowbits.c

index 2d77ba90be5a60d6f9edf33a48bbeca3aa4062bc..cbe46784116b9e7ba616fb73951d979602673fb5 100644 (file)
--- a/src/detect-flowbits.c
+++ b/src/detect-flowbits.c
@@ -400,16 +400,20 @@ static void DetectFlowbitsAnalyzeDump(const DetectEngineCtx *de_ctx,
          struct FBAnalyze *array, uint32_t elements);
  #endif
  
-void DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
+int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
  {
      const uint32_t max_fb_id = de_ctx->max_fb_id;
      if (max_fb_id == 0)
-        return;
+        return 0;
  
  #define MAX_SIDS 8
      uint32_t array_size = max_fb_id + 1;
-    struct FBAnalyze array[array_size];
-    memset(&array, 0, array_size * sizeof(struct FBAnalyze));
+    struct FBAnalyze *array = SCCalloc(array_size, sizeof(struct FBAnalyze));
+
+    if (array == NULL) {
+        SCLogError(SC_ERR_MEM_ALLOC, "Unable to allocate flowbit analyze array");
+        return -1;
+    }
  
      SCLogDebug("fb analyzer array size: %"PRIu64,
              (uint64_t)(array_size * sizeof(struct FBAnalyze)));
@@ -633,6 +637,9 @@ end:
          SCFree(array[i].isnotset_sids);
          SCFree(array[i].toggle_sids);
      }
+    SCFree(array);
+
+    return 0;
  }
  
  #ifdef PROFILING
diff --git a/src/detect.h b/src/detect.h

index 71cdc458b03b64616cd01a8d756c8e29c5cfc0bb..2138b6ed21ec800f5597c93a38981f1d9833fcab 100644 (file)
--- a/src/detect.h
+++ b/src/detect.h
@@ -1494,7 +1494,7 @@ void DetectSignatureApplyActions(Packet *p, const Signature *s, const uint8_t);
  void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size);
  void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx);
  
-void DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx);
+int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx);
  
  int DetectMetadataHashInit(DetectEngineCtx *de_ctx);
  void DetectMetadataHashFree(DetectEngineCtx *de_ctx);
author	Antti Tönkyrä <daedalus@pingtimeout.net>
	Fri, 26 Jun 2020 10:37:45 +0000 (10:37 +0000)
committer	Victor Julien <victor@inliniac.net>
	Mon, 6 Jul 2020 09:43:49 +0000 (11:43 +0200)
src/detect-engine-build.c		patch \| blob \| blame \| history
src/detect-flowbits.c		patch \| blob \| blame \| history
src/detect.h		patch \| blob \| blame \| history