signature: checks for integer overflow in limits propagation

author Philippe Antoine <contact@catenacyber.fr>

Thu, 23 Jul 2020 09:26:16 +0000 (11:26 +0200)

committer Victor Julien <victor@inliniac.net>

Wed, 29 Jul 2020 08:14:23 +0000 (10:14 +0200)
author Philippe Antoine <contact@catenacyber.fr>
Thu, 23 Jul 2020 09:26:16 +0000 (11:26 +0200)
committer Victor Julien <victor@inliniac.net>
Wed, 29 Jul 2020 08:14:23 +0000 (10:14 +0200)
diff --git a/src/detect-content.c b/src/detect-content.c

index dbd72fc046b16b63f0c0e0a184266b6af8be968f..baa63053db9d163f969d387f9a4d1d9d66c6163b 100644 (file)
--- a/src/detect-content.c
+++ b/src/detect-content.c
@@ -499,7 +499,11 @@ void DetectContentPropagateLimits(Signature *s)
                      SCLogDebug("stored: offset %u depth %u offset_plus_pat %u", offset, depth, offset_plus_pat);
  
                      if (cd->flags & DETECT_CONTENT_DISTANCE && cd->distance >= 0) {
-                        offset = cd->offset = offset_plus_pat + cd->distance;
+                        if ((uint32_t)offset_plus_pat + cd->distance <= UINT16_MAX) {
+                            offset = cd->offset = offset_plus_pat + cd->distance;
+                        } else {
+                            SCLogDebug("not updated content offset as it would overflow : %u + %d", offset_plus_pat, cd->distance);
+                        }
                          SCLogDebug("updated content to have offset %u", cd->offset);
                      }
                      if (have_anchor && !last_reset && offset_plus_pat && cd->flags & DETECT_CONTENT_WITHIN && cd->within >= 0) {
author	Philippe Antoine <contact@catenacyber.fr>
	Thu, 23 Jul 2020 09:26:16 +0000 (11:26 +0200)
committer	Victor Julien <victor@inliniac.net>
	Wed, 29 Jul 2020 08:14:23 +0000 (10:14 +0200)