From: Philippe Antoine Date: Wed, 14 Oct 2020 19:25:40 +0000 (+0200) Subject: detect: null sanity checks for pkthdr X-Git-Tag: suricata-6.0.1~18 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=445e03d75278eb40c9114eea29e07e5b83e40e4e;p=thirdparty%2Fsuricata.git detect: null sanity checks for pkthdr Even when the rules are only applied on traffic with the protocol the structure for the protocol header can be set to NULL if there was an error parsing the header --- diff --git a/src/detect-icmpv6hdr.c b/src/detect-icmpv6hdr.c index f8dbf7f6ce..ffe9595aa9 100644 --- a/src/detect-icmpv6hdr.c +++ b/src/detect-icmpv6hdr.c @@ -32,6 +32,7 @@ #include "detect-engine-content-inspection.h" #include "detect-fast-pattern.h" #include "detect-icmpv6hdr.h" +#include "util-validate.h" /* prototypes */ static int DetectICMPv6hdrSetup (DetectEngineCtx *, Signature *, const char *); @@ -104,6 +105,7 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); if (buffer->inspect == NULL) { uint32_t hlen = ICMPV6_HEADER_LEN; + DEBUG_VALIDATE_BUG_ON(p->icmpv6h == NULL); if (((uint8_t *)p->icmpv6h + (ptrdiff_t)hlen) > ((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p))) { diff --git a/src/detect-ipv4hdr.c b/src/detect-ipv4hdr.c index f963cd1a48..87b29c5aef 100644 --- a/src/detect-ipv4hdr.c +++ b/src/detect-ipv4hdr.c @@ -100,6 +100,10 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); if (buffer->inspect == NULL) { + if (p->ip4h == NULL) { + // DETECT_PROTO_IPV4 does not prefilter + return NULL; + } uint32_t hlen = IPV4_GET_HLEN(p); if (((uint8_t *)p->ip4h + (ptrdiff_t)hlen) > ((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p))) diff --git a/src/detect-ipv6hdr.c b/src/detect-ipv6hdr.c index 8accf9a958..e559223420 100644 --- a/src/detect-ipv6hdr.c +++ b/src/detect-ipv6hdr.c @@ -100,6 +100,10 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); if (buffer->inspect == NULL) { + if (p->ip6h == NULL) { + // DETECT_PROTO_IPV6 does not prefilter + return NULL; + } uint32_t hlen = IPV6_HEADER_LEN + IPV6_GET_EXTHDRS_LEN(p); if (((uint8_t *)p->ip6h + (ptrdiff_t)hlen) > ((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p))) diff --git a/src/detect-tcphdr.c b/src/detect-tcphdr.c index 30a3c828fd..3b0cde3f31 100644 --- a/src/detect-tcphdr.c +++ b/src/detect-tcphdr.c @@ -101,6 +101,11 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); if (buffer->inspect == NULL) { + if (p->tcph == NULL) { + // may happen when DecodeTCPPacket fails + // for instance with invalid header length + return NULL; + } uint32_t hlen = TCP_GET_HLEN(p); if (((uint8_t *)p->tcph + (ptrdiff_t)hlen) > ((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p))) diff --git a/src/detect-udphdr.c b/src/detect-udphdr.c index 6054193f96..a8900048be 100644 --- a/src/detect-udphdr.c +++ b/src/detect-udphdr.c @@ -99,6 +99,9 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); if (buffer->inspect == NULL) { + if (p->udph == NULL) { + return NULL; + } if (((uint8_t *)p->udph + (ptrdiff_t)UDP_HEADER_LEN) > ((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p))) {