signature: checks for integer overflow in limits propagation

author Philippe Antoine <contact@catenacyber.fr>

Thu, 23 Jul 2020 09:26:16 +0000 (11:26 +0200)

committer Jeff Lucovsky <jeff@lucovsky.org>

Sun, 20 Sep 2020 14:44:47 +0000 (10:44 -0400)
author Philippe Antoine <contact@catenacyber.fr>
Thu, 23 Jul 2020 09:26:16 +0000 (11:26 +0200)
committer Jeff Lucovsky <jeff@lucovsky.org>
Sun, 20 Sep 2020 14:44:47 +0000 (10:44 -0400)
diff --git a/src/detect-content.c b/src/detect-content.c

index 2217943d7f62b030620877c7121710f8caf902eb..3e584e7caee1f02019096aef917e3b0008b118ad 100644 (file)
--- a/src/detect-content.c
+++ b/src/detect-content.c
@@ -495,7 +495,11 @@ void DetectContentPropagateLimits(Signature *s)
                      SCLogDebug("stored: offset %u depth %u offset_plus_pat %u", offset, depth, offset_plus_pat);
  
                      if (cd->flags & DETECT_CONTENT_DISTANCE && cd->distance >= 0) {
-                        offset = cd->offset = offset_plus_pat + cd->distance;
+                        if ((uint32_t)offset_plus_pat + cd->distance <= UINT16_MAX) {
+                            offset = cd->offset = offset_plus_pat + cd->distance;
+                        } else {
+                            SCLogDebug("not updated content offset as it would overflow : %u + %d", offset_plus_pat, cd->distance);
+                        }
                          SCLogDebug("updated content to have offset %u", cd->offset);
                      }
                      if (have_anchor && !last_reset && offset_plus_pat && cd->flags & DETECT_CONTENT_WITHIN && cd->within >= 0) {
author	Philippe Antoine <contact@catenacyber.fr>
	Thu, 23 Jul 2020 09:26:16 +0000 (11:26 +0200)
committer	Jeff Lucovsky <jeff@lucovsky.org>
	Sun, 20 Sep 2020 14:44:47 +0000 (10:44 -0400)