Fix stack overflow in DetectFlowbitsAnalyze

Use dynamically allocated array instead of stack and free it after it is no longer needed.

(cherry picked from commit fd4ef5cd541ad945fddae5f469e32ef0562447ca)

diff --git a/src/detect-engine-build.c b/src/detect-engine-build.c
index 71d103aa9b9e39d407751166380b43229680bb54..fddc0bfebd2a0ece2283b1751eecefe10aade4ea 100644 (file)
--- a/src/detect-engine-build.c
+++ b/src/detect-engine-build.c
@@ -1418,7 +1418,9 @@ int SigAddressPrepareStage1(DetectEngineCtx *de_ctx)
         SCLogConfig("building signature grouping structure, stage 1: "
                "preprocessing rules... complete");
     }
-    DetectFlowbitsAnalyze(de_ctx);
+
+    if (DetectFlowbitsAnalyze(de_ctx) != 0)
+        goto error;
 
     return 0;
 

diff --git a/src/detect-flowbits.c b/src/detect-flowbits.c
index 8e90efd9ed6125048b8718adc9642d33907a40b3..ae462f4b8623920a2dd7353b8893e5c598a58b9d 100644 (file)
--- a/src/detect-flowbits.c
+++ b/src/detect-flowbits.c
@@ -333,16 +333,20 @@ static void DetectFlowbitsAnalyzeDump(const DetectEngineCtx *de_ctx,
         struct FBAnalyze *array, uint32_t elements);
 #endif
 
-void DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
+int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
 {
     const uint32_t max_fb_id = de_ctx->max_fb_id;
     if (max_fb_id == 0)
-        return;
+        return 0;
 
 #define MAX_SIDS 8
     uint32_t array_size = max_fb_id + 1;
-    struct FBAnalyze array[array_size];
-    memset(&array, 0, array_size * sizeof(struct FBAnalyze));
+    struct FBAnalyze *array = SCCalloc(array_size, sizeof(struct FBAnalyze));
+
+    if (array == NULL) {
+        SCLogError(SC_ERR_MEM_ALLOC, "Unable to allocate flowbit analyze array");
+        return -1;
+    }
 
     SCLogDebug("fb analyzer array size: %"PRIu64,
             (uint64_t)(array_size * sizeof(struct FBAnalyze)));
@@ -529,6 +533,9 @@ end:
         SCFree(array[i].isnotset_sids);
         SCFree(array[i].toggle_sids);
     }
+    SCFree(array);
+
+    return 0;
 }
 
 #ifdef PROFILING

diff --git a/src/detect.h b/src/detect.h
index 4392f09b622c5fb0293cf57577f65612edd87714..63359f1863b6bab63af880cba30ce992b32f6eea 100644 (file)
--- a/src/detect.h
+++ b/src/detect.h
@@ -1487,7 +1487,7 @@ void DetectSignatureApplyActions(Packet *p, const Signature *s, const uint8_t);
 void RuleMatchCandidateTxArrayInit(DetectEngineThreadCtx *det_ctx, uint32_t size);
 void RuleMatchCandidateTxArrayFree(DetectEngineThreadCtx *det_ctx);
 
-void DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx);
+int DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx);
 
 int DetectMetadataHashInit(DetectEngineCtx *de_ctx);
 void DetectMetadataHashFree(DetectEngineCtx *de_ctx);