From: Victor Julien <victor@inliniac.net>
Date: Tue, 13 Feb 2018 10:22:33 +0000 (+0100)
Subject: detect: fix out of bounds write in thread space creation
X-Git-Tag: suricata-4.0.4~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2dc344edb0409dbfa62d689dba4e49ee5d20921a;p=thirdparty%2Fsuricata.git

detect: fix out of bounds write in thread space creation
---

diff --git a/src/detect-engine-filedata-smtp.c b/src/detect-engine-filedata-smtp.c
index f2790e4829..39c874cab1 100644
--- a/src/detect-engine-filedata-smtp.c
+++ b/src/detect-engine-filedata-smtp.c
@@ -56,14 +56,19 @@
 #include "conf.h"
 #include "conf-yaml-loader.h"
 
-#define BUFFER_STEP 50
+#define BUFFER_GROW_STEP 50
 
-static inline int SMTPCreateSpace(DetectEngineThreadCtx *det_ctx, uint16_t size)
+static inline int SMTPCreateSpace(DetectEngineThreadCtx *det_ctx, uint64_t size)
 {
-    void *ptmp;
+    if (size >= (USHRT_MAX - BUFFER_GROW_STEP))
+        return -1;
+
     if (size > det_ctx->smtp_buffers_size) {
-        ptmp = SCRealloc(det_ctx->smtp,
-                         (det_ctx->smtp_buffers_size + BUFFER_STEP) * sizeof(FiledataReassembledBody));
+        uint16_t grow_by = size - det_ctx->smtp_buffers_size;
+        grow_by = MAX(grow_by, BUFFER_GROW_STEP);
+
+        void *ptmp = SCRealloc(det_ctx->smtp,
+                         (det_ctx->smtp_buffers_size + grow_by) * sizeof(FiledataReassembledBody));
         if (ptmp == NULL) {
             SCFree(det_ctx->smtp);
             det_ctx->smtp = NULL;
@@ -73,10 +78,11 @@ static inline int SMTPCreateSpace(DetectEngineThreadCtx *det_ctx, uint16_t size)
         }
         det_ctx->smtp = ptmp;
 
-        memset(det_ctx->smtp + det_ctx->smtp_buffers_size, 0, BUFFER_STEP * sizeof(FiledataReassembledBody));
-        det_ctx->smtp_buffers_size += BUFFER_STEP;
+        memset(det_ctx->smtp + det_ctx->smtp_buffers_size, 0, grow_by * sizeof(FiledataReassembledBody));
+        det_ctx->smtp_buffers_size += grow_by;
     }
-    for (int i = det_ctx->smtp_buffers_list_len; i < (size); i++) {
+    uint16_t i;
+    for (i = det_ctx->smtp_buffers_list_len; i < det_ctx->smtp_buffers_size; i++) {
         det_ctx->smtp[i].buffer_len = 0;
         det_ctx->smtp[i].offset = 0;
     }
diff --git a/src/detect-engine-hcbd.c b/src/detect-engine-hcbd.c
index 6d511b629a..6dce727d66 100644
--- a/src/detect-engine-hcbd.c
+++ b/src/detect-engine-hcbd.c
@@ -65,17 +65,19 @@
 
 #include "util-validate.h"
 
-#define BUFFER_STEP 50
+#define BUFFER_GROW_STEP 50
 
 static inline int HCBDCreateSpace(DetectEngineThreadCtx *det_ctx, uint64_t size)
 {
-    if (size >= (USHRT_MAX - BUFFER_STEP))
+    if (size >= (USHRT_MAX - BUFFER_GROW_STEP))
         return -1;
 
-    void *ptmp;
     if (size > det_ctx->hcbd_buffers_size) {
-        ptmp = SCRealloc(det_ctx->hcbd,
-                         (det_ctx->hcbd_buffers_size + BUFFER_STEP) * sizeof(HttpReassembledBody));
+        uint16_t grow_by = size - det_ctx->hcbd_buffers_size;
+        grow_by = MAX(grow_by, BUFFER_GROW_STEP);
+
+        void *ptmp = SCRealloc(det_ctx->hcbd,
+                         (det_ctx->hcbd_buffers_size + grow_by) * sizeof(HttpReassembledBody));
         if (ptmp == NULL) {
             SCFree(det_ctx->hcbd);
             det_ctx->hcbd = NULL;
@@ -85,11 +87,11 @@ static inline int HCBDCreateSpace(DetectEngineThreadCtx *det_ctx, uint64_t size)
         }
         det_ctx->hcbd = ptmp;
 
-        memset(det_ctx->hcbd + det_ctx->hcbd_buffers_size, 0, BUFFER_STEP * sizeof(HttpReassembledBody));
-        det_ctx->hcbd_buffers_size += BUFFER_STEP;
+        memset(det_ctx->hcbd + det_ctx->hcbd_buffers_size, 0, grow_by * sizeof(HttpReassembledBody));
+        det_ctx->hcbd_buffers_size += grow_by;
 
         uint16_t i;
-        for (i = det_ctx->hcbd_buffers_list_len; i < ((uint16_t)size); i++) {
+        for (i = det_ctx->hcbd_buffers_list_len; i < det_ctx->hcbd_buffers_size; i++) {
             det_ctx->hcbd[i].buffer_len = 0;
             det_ctx->hcbd[i].offset = 0;
         }
diff --git a/src/detect-engine-hsbd.c b/src/detect-engine-hsbd.c
index 778802a5d9..2355dd5bef 100644
--- a/src/detect-engine-hsbd.c
+++ b/src/detect-engine-hsbd.c
@@ -66,17 +66,19 @@
 
 #include "util-validate.h"
 
-#define BUFFER_STEP 50
+#define BUFFER_GROW_STEP 50
 
 static inline int HSBDCreateSpace(DetectEngineThreadCtx *det_ctx, uint64_t size)
 {
-    if (size >= (USHRT_MAX - BUFFER_STEP))
+    if (size >= (USHRT_MAX - BUFFER_GROW_STEP))
         return -1;
 
-    void *ptmp;
     if (size > det_ctx->hsbd_buffers_size) {
-        ptmp = SCRealloc(det_ctx->hsbd,
-                         (det_ctx->hsbd_buffers_size + BUFFER_STEP) * sizeof(HttpReassembledBody));
+        uint16_t grow_by = size - det_ctx->hsbd_buffers_size;
+        grow_by = MAX(grow_by, BUFFER_GROW_STEP);
+
+        void *ptmp = SCRealloc(det_ctx->hsbd,
+                         (det_ctx->hsbd_buffers_size + grow_by) * sizeof(HttpReassembledBody));
         if (ptmp == NULL) {
             SCFree(det_ctx->hsbd);
             det_ctx->hsbd = NULL;
@@ -86,11 +88,11 @@ static inline int HSBDCreateSpace(DetectEngineThreadCtx *det_ctx, uint64_t size)
         }
         det_ctx->hsbd = ptmp;
 
-        memset(det_ctx->hsbd + det_ctx->hsbd_buffers_size, 0, BUFFER_STEP * sizeof(HttpReassembledBody));
-        det_ctx->hsbd_buffers_size += BUFFER_STEP;
+        memset(det_ctx->hsbd + det_ctx->hsbd_buffers_size, 0, grow_by * sizeof(HttpReassembledBody));
+        det_ctx->hsbd_buffers_size += grow_by;
     }
     uint16_t i;
-    for (i = det_ctx->hsbd_buffers_list_len; i < ((uint16_t)size); i++) {
+    for (i = det_ctx->hsbd_buffers_list_len; i < det_ctx->hsbd_buffers_size; i++) {
         det_ctx->hsbd[i].buffer_len = 0;
         det_ctx->hsbd[i].offset = 0;
     }