From: Victor Julien <victor@inliniac.net>
Date: Tue, 14 Jul 2015 18:09:36 +0000 (+0200)
Subject: http: harden tx inspection code
X-Git-Tag: suricata-3.0RC1~242
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=11d3f5f67aa9c4c70d71c8cc035f716d05dc0248;p=thirdparty%2Fsuricata.git

http: harden tx inspection code
---

diff --git a/src/detect-engine-hcbd.c b/src/detect-engine-hcbd.c
index 2de2a54ebd..aed137985e 100644
--- a/src/detect-engine-hcbd.c
+++ b/src/detect-engine-hcbd.c
@@ -62,8 +62,11 @@
 
 #define BUFFER_STEP 50
 
-static inline int HCBDCreateSpace(DetectEngineThreadCtx *det_ctx, uint16_t size)
+static inline int HCBDCreateSpace(DetectEngineThreadCtx *det_ctx, uint64_t size)
 {
+    if (size >= USHRT_MAX)
+        return -1;
+
     void *ptmp;
     if (size > det_ctx->hcbd_buffers_size) {
         ptmp = SCRealloc(det_ctx->hcbd,
@@ -80,7 +83,8 @@ static inline int HCBDCreateSpace(DetectEngineThreadCtx *det_ctx, uint16_t size)
         memset(det_ctx->hcbd + det_ctx->hcbd_buffers_size, 0, BUFFER_STEP * sizeof(HttpReassembledBody));
         det_ctx->hcbd_buffers_size += BUFFER_STEP;
 
-        for (int i = det_ctx->hcbd_buffers_list_len; i < (size); i++) {
+        uint16_t i;
+        for (i = det_ctx->hcbd_buffers_list_len; i < ((uint16_t)size); i++) {
             det_ctx->hcbd[i].buffer_len = 0;
             det_ctx->hcbd[i].offset = 0;
         }
@@ -109,8 +113,7 @@ static uint8_t *DetectEngineHCBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id,
         uint64_t base_inspect_id = AppLayerParserGetTransactionInspectId(f->alparser, flags);
         BUG_ON(base_inspect_id > tx_id);
         /* see how many space we need for the current tx_id */
-        uint16_t txs = (tx_id - base_inspect_id) + 1;
-
+        uint64_t txs = (tx_id - base_inspect_id) + 1;
         if (HCBDCreateSpace(det_ctx, txs) < 0)
             goto end;
 
@@ -125,7 +128,7 @@ static uint8_t *DetectEngineHCBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id,
                 return det_ctx->hcbd[(tx_id - det_ctx->hcbd_start_tx_id)].buffer;
             }
         } else {
-            uint16_t txs = (tx_id - det_ctx->hcbd_start_tx_id) + 1;
+            uint64_t txs = (tx_id - det_ctx->hcbd_start_tx_id) + 1;
             if (HCBDCreateSpace(det_ctx, txs) < 0)
                 goto end; /* let's consider it as stage not done for now */
 
diff --git a/src/detect-engine-hhd.c b/src/detect-engine-hhd.c
index dce39d3dcc..82c5b9ce35 100644
--- a/src/detect-engine-hhd.c
+++ b/src/detect-engine-hhd.c
@@ -60,8 +60,11 @@
 
 #define BUFFER_STEP 50
 
-static inline int HHDCreateSpace(DetectEngineThreadCtx *det_ctx, uint16_t size)
+static inline int HHDCreateSpace(DetectEngineThreadCtx *det_ctx, uint64_t size)
 {
+    if (size >= USHRT_MAX)
+        return -1;
+
     void *ptmp;
     if (size > det_ctx->hhd_buffers_size) {
         ptmp = SCRealloc(det_ctx->hhd_buffers,
@@ -111,8 +114,7 @@ static uint8_t *DetectEngineHHDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id,
         uint64_t base_inspect_id = AppLayerParserGetTransactionInspectId(f->alparser, flags);
         BUG_ON(base_inspect_id > tx_id);
         /* see how many space we need for the current tx_id */
-        uint16_t txs = (tx_id - base_inspect_id) + 1;
-
+        uint64_t txs = (tx_id - base_inspect_id) + 1;
         if (HHDCreateSpace(det_ctx, txs) < 0)
             goto end;
 
@@ -130,7 +132,7 @@ static uint8_t *DetectEngineHHDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id,
             /* otherwise fall through */
         } else {
             /* not enough space, lets expand */
-            uint16_t txs = (tx_id - det_ctx->hhd_start_tx_id) + 1;
+            uint64_t txs = (tx_id - det_ctx->hhd_start_tx_id) + 1;
             if (HHDCreateSpace(det_ctx, txs) < 0)
                 goto end;
 
diff --git a/src/detect-engine-hsbd.c b/src/detect-engine-hsbd.c
index 93440a198d..9fad1a3af1 100644
--- a/src/detect-engine-hsbd.c
+++ b/src/detect-engine-hsbd.c
@@ -64,8 +64,11 @@
 
 #define BUFFER_STEP 50
 
-static inline int HSBDCreateSpace(DetectEngineThreadCtx *det_ctx, uint16_t size)
+static inline int HSBDCreateSpace(DetectEngineThreadCtx *det_ctx, uint64_t size)
 {
+    if (size >= USHRT_MAX)
+        return -1;
+
     void *ptmp;
     if (size > det_ctx->hsbd_buffers_size) {
         ptmp = SCRealloc(det_ctx->hsbd,
@@ -82,7 +85,8 @@ static inline int HSBDCreateSpace(DetectEngineThreadCtx *det_ctx, uint16_t size)
         memset(det_ctx->hsbd + det_ctx->hsbd_buffers_size, 0, BUFFER_STEP * sizeof(HttpReassembledBody));
         det_ctx->hsbd_buffers_size += BUFFER_STEP;
     }
-    for (int i = det_ctx->hsbd_buffers_list_len; i < (size); i++) {
+    uint16_t i;
+    for (i = det_ctx->hsbd_buffers_list_len; i < ((uint16_t)size); i++) {
         det_ctx->hsbd[i].buffer_len = 0;
         det_ctx->hsbd[i].offset = 0;
     }
@@ -235,8 +239,7 @@ static uint8_t *DetectEngineHSBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id,
         uint64_t base_inspect_id = AppLayerParserGetTransactionInspectId(f->alparser, flags);
         BUG_ON(base_inspect_id > tx_id);
         /* see how many space we need for the current tx_id */
-        uint16_t txs = (tx_id - base_inspect_id) + 1;
-
+        uint64_t txs = (tx_id - base_inspect_id) + 1;
         if (HSBDCreateSpace(det_ctx, txs) < 0)
             goto end;
         index = (tx_id - base_inspect_id);
@@ -250,7 +253,7 @@ static uint8_t *DetectEngineHSBDGetBufferForTX(htp_tx_t *tx, uint64_t tx_id,
                 return det_ctx->hsbd[(tx_id - det_ctx->hsbd_start_tx_id)].buffer;
             }
         } else {
-            uint16_t txs = (tx_id - det_ctx->hsbd_start_tx_id) + 1;
+            uint64_t txs = (tx_id - det_ctx->hsbd_start_tx_id) + 1;
             if (HSBDCreateSpace(det_ctx, txs) < 0)
                 goto end;