From: Jason Ish Date: Tue, 13 Sep 2016 16:57:09 +0000 (-0600) Subject: flowbits: validate that there are no spaces in the name X-Git-Tag: suricata-3.1.3~29 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=24f2387b238e4d82ea0a9a1ec5eb12b8238b022e;p=thirdparty%2Fsuricata.git flowbits: validate that there are no spaces in the name Fixes issue: https://redmine.openinfosecfoundation.org/issues/1889 To catch the issue where the ';' is missing we have to expand the regex to capture the whole name string, not just the leading valid stuff. Then verify that there are no spaces in the name (Snort has the same restriction) and fail if there is. --- diff --git a/src/detect-flowbits.c b/src/detect-flowbits.c index 9752f03e8b..5100f7f998 100644 --- a/src/detect-flowbits.c +++ b/src/detect-flowbits.c @@ -45,7 +45,7 @@ #include "util-unittest.h" #include "util-debug.h" -#define PARSE_REGEX "([a-z]+)(?:,\\s*([^\\s]*))?" +#define PARSE_REGEX "([a-z]+)(?:,\\s*(.*))?" static pcre *parse_regex; static pcre_extra *parse_regex_study; @@ -182,6 +182,20 @@ static int DetectFlowbitParse(char *str, char *cmd, int cmd_len, char *name, SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed"); return 0; } + + /* Trim trailing whitespace. */ + while (strlen(name) > 0 && isblank(name[strlen(name) - 1])) { + name[strlen(name) - 1] = '\0'; + } + + /* Validate name, spaces are not allowed. */ + for (size_t i = 0; i < strlen(name); i++) { + if (isblank(name[i])) { + SCLogError(SC_ERR_INVALID_SIGNATURE, + "spaces not allowed in flowbit names"); + return 0; + } + } } return 1; @@ -324,6 +338,10 @@ static int FlowBitsTestParse01(void) FAIL_IF(strcmp(command, "set") != 0); FAIL_IF(strcmp(name, "flowbit") != 0); + /* Spaces are not allowed in the name. */ + FAIL_IF(DetectFlowbitParse("set,namewith space", command, sizeof(command), + name, sizeof(name))); + PASS; }