From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Tue, 28 Mar 2023 14:24:57 +0000 (-0400)
Subject: detect/byte_math: fix bug in byte_math detection
X-Git-Tag: suricata-7.0.0-rc2~439
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=38c5e89e2959fcb22994ac4b232c7c298dd7d699;p=thirdparty%2Fsuricata.git

detect/byte_math: fix bug in byte_math detection

Issue: 5945

Avoid division by zero when the byte_math operation is division and the
rvalue is 0.
---

diff --git a/src/detect-bytemath.c b/src/detect-bytemath.c
index a93144e265..0d7714b094 100644
--- a/src/detect-bytemath.c
+++ b/src/detect-bytemath.c
@@ -150,7 +150,6 @@ int DetectByteMathDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *sm
     BUG_ON(extbytes > len);
 
     ptr += extbytes;
-    det_ctx->buffer_offset = ptr - payload;
 
     switch (data->oper) {
         case OperatorNone:
@@ -162,6 +161,10 @@ int DetectByteMathDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *sm
             val -= rvalue;
             break;
         case Division:
+            if (rvalue == 0) {
+                SCLogDebug("avoiding division by zero");
+                return 0;
+            }
             val /= rvalue;
             break;
         case Multiplication:
@@ -179,6 +182,8 @@ int DetectByteMathDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *sm
             break;
     }
 
+    det_ctx->buffer_offset = ptr - payload;
+
     if (data->flags & DETECT_BYTEMATH_FLAG_BITMASK) {
         val &= data->bitmask_val;
         if (val && data->bitmask_shift_count) {
@@ -859,7 +864,7 @@ static int DetectByteMathPacket02(void)
 
     /*
      * byte_extract: Extract 1 byte from offset 0 --> 0x38
-     * byte_math: Extract 1 byte from offset 1 (0x38)
+     * byte_math: Extract 1 byte from offset -1 (0x38)
      *            Add 0x38 + 0x38 = 112 (0x70)
      * byte_test: Compare 2 bytes at offset 13 bytes from last
      *            match and compare with 0x70
@@ -994,7 +999,7 @@ static void DetectByteMathRegisterTests(void)
     UtRegisterTest("DetectByteMathParseTest14", DetectByteMathParseTest14);
     UtRegisterTest("DetectByteMathParseTest15", DetectByteMathParseTest15);
     UtRegisterTest("DetectByteMathParseTest16", DetectByteMathParseTest16);
-    UtRegisterTest("DetectByteMathPacket01",    DetectByteMathPacket01);
+    UtRegisterTest("DetectByteMathPacket01", DetectByteMathPacket01);
     UtRegisterTest("DetectByteMathPacket02", DetectByteMathPacket02);
     UtRegisterTest("DetectByteMathContext01", DetectByteMathContext01);
 }