DetectGidSet - safer stripping of quotes.

Discovered by AFL when using a rule like:
    alert tcp any any -> any any (content:"ABC"; gid:";)
resulting a negative array index.

diff --git a/src/detect-gid.c b/src/detect-gid.c
index b25dc0157957249db9ce236fd83909837d3b1e50..3a36d7bc65b2acb1b4543d47a5e27ab9fb75e36c 100644 (file)
--- a/src/detect-gid.c
+++ b/src/detect-gid.c
@@ -71,13 +71,15 @@ static int DetectGidSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
     char *str = rawstr;
     char dubbed = 0;
 
-    /* strip "'s */
-    if (rawstr[0] == '\"' && rawstr[strlen(rawstr)-1] == '\"') {
-        str = SCStrdup(rawstr+1);
-        if (unlikely(str == NULL))
+    /* Strip leading and trailing "s. */
+    if (rawstr[0] == '\"') {
+        str = SCStrdup(rawstr + 1);
+        if (unlikely(str == NULL)) {
             return -1;
-
-        str[strlen(rawstr)-2] = '\0';
+        }
+        if (strlen(str) && str[strlen(str) - 1] == '\"') {
+            str[strlen(str) - 1] = '\"';
+        }
         dubbed = 1;
     }
 
@@ -160,6 +162,31 @@ end:
         DetectEngineCtxFree(de_ctx);
     return result;
 }
+
+/**
+ * \test Test a gid consisting of a single quote.
+ *
+ * \retval 1 on succces
+ * \retval 0 on failure
+ */
+static int GidTestParse03 (void)
+{
+    int result = 0;
+
+    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+    if (de_ctx == NULL)
+        goto end;
+
+    if (DetectEngineAppendSig(de_ctx,
+            "alert tcp any any -> any any (content:\"ABC\"; gid:\";)") != NULL)
+        goto end;
+
+    result = 1;
+end:
+    if (de_ctx != NULL)
+        DetectEngineCtxFree(de_ctx);
+    return result;
+}
 #endif /* UNITTESTS */
 
 /**
@@ -170,5 +197,6 @@ void GidRegisterTests(void)
 #ifdef UNITTESTS
     UtRegisterTest("GidTestParse01", GidTestParse01, 1);
     UtRegisterTest("GidTestParse02", GidTestParse02, 1);
+    UtRegisterTest("GidTestParse03", GidTestParse03, 1);
 #endif /* UNITTESTS */
 }