fuzz/detect: forbid rule with pcre only on stream

author Philippe Antoine <pantoine@oisf.net>

Tue, 25 Jun 2024 12:27:24 +0000 (14:27 +0200)

committer Victor Julien <victor@inliniac.net>

Mon, 14 Oct 2024 05:14:15 +0000 (07:14 +0200)
author Philippe Antoine <pantoine@oisf.net>
Tue, 25 Jun 2024 12:27:24 +0000 (14:27 +0200)
committer Victor Julien <victor@inliniac.net>
Mon, 14 Oct 2024 05:14:15 +0000 (07:14 +0200)
diff --git a/src/detect-content.c b/src/detect-content.c

index 6d3852ecc56f3c4872cd89118a0b55811d893c86..9625e7426d455c1f6f10d70a7f0fe9b6f215f812 100644 (file)
--- a/src/detect-content.c
+++ b/src/detect-content.c
@@ -453,6 +453,25 @@ void SigParseRequiredContentSize(
   */
  bool DetectContentPMATCHValidateCallback(const Signature *s)
  {
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+    bool has_pcre = false;
+    bool has_content = false;
+    for (SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH]; sm != NULL; sm = sm->next) {
+        if (sm->type == DETECT_PCRE) {
+            has_pcre = true;
+        } else if (sm->type == DETECT_CONTENT) {
+            has_content = true;
+            break;
+        }
+    }
+    if (has_pcre && !has_content) {
+        // Fuzzing does not allow rules with pcre and without content on payload
+        // as it is known to be a bad rule for performance causing possible timeouts
+        // Engine analysis has more generic warn_pcre_no_content about this
+        return false;
+    }
+#endif
+
      if (!(s->flags & SIG_FLAG_DSIZE)) {
          return true;
      }
author	Philippe Antoine <pantoine@oisf.net>
	Tue, 25 Jun 2024 12:27:24 +0000 (14:27 +0200)
committer	Victor Julien <victor@inliniac.net>
	Mon, 14 Oct 2024 05:14:15 +0000 (07:14 +0200)