From: Victor Julien <victor@inliniac.net>
Date: Fri, 7 Jul 2017 08:57:47 +0000 (+0200)
Subject: pcre: fix \xHH issue for http_host
X-Git-Tag: suricata-4.0.0-rc2~18
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5781c8fc780f182c10d7c0fd3d4f4cfc7ed63faa;p=thirdparty%2Fsuricata.git

pcre: fix \xHH issue for http_host

The http_host keyword checks if the regex contains uppercase characters.
This check was rejecting valid syntax in the following format:

    content:"|2E|suricata"; http_host; pcre:"/\x2Esuricata$/W";

This patch addresses this case.

Bug #1957.
---

diff --git a/src/detect-pcre.c b/src/detect-pcre.c
index aebc06a9d0..888492a579 100644
--- a/src/detect-pcre.c
+++ b/src/detect-pcre.c
@@ -290,14 +290,27 @@ static int DetectPcreSetList(int list, int set)
 static int DetectPcreHasUpperCase(const char *re)
 {
     size_t len = strlen(re);
-    int is_meta = 0;
+    bool is_meta = false;
+    bool is_meta_hex = false;
+    int meta_hex_cnt = 0;
 
     for (size_t i = 0; i < len; i++) {
-        if (is_meta) {
-            is_meta = 0;
+        if (is_meta_hex) {
+            meta_hex_cnt++;
+
+            if (meta_hex_cnt == 2) {
+                is_meta_hex = false;
+                meta_hex_cnt = 0;
+            }
+        } else if (is_meta) {
+            if (re[i] == 'x') {
+                is_meta_hex = true;
+            } else {
+                is_meta = false;
+            }
         }
         else if (re[i] == '\\') {
-            is_meta = 1;
+            is_meta = true;
         }
         else if (isupper((unsigned char)re[i])) {
             return 1;
@@ -1544,6 +1557,23 @@ static int DetectPcreParseTest27(void)
     PASS;
 }
 
+/** \test Bug 1957 */
+static int DetectPcreParseTest28(void)
+{
+    DetectEngineCtx *de_ctx = NULL;
+
+    FAIL_IF( (de_ctx = DetectEngineCtxInit()) == NULL);
+
+    de_ctx->flags |= DE_QUIET;
+    de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any 80 "
+            "(content:\"|2E|suricata\"; http_host; pcre:\"/\\x2Esuricata$/W\"; "
+            "sid:2; rev:2;)");
+    FAIL_IF_NULL(de_ctx->sig_list);
+
+    DetectEngineCtxFree(de_ctx);
+    PASS;
+}
+
 static int DetectPcreTestSig01(void)
 {
     uint8_t *buf = (uint8_t *)
@@ -3483,6 +3513,7 @@ static void DetectPcreRegisterTests(void)
     UtRegisterTest("DetectPcreParseTest25", DetectPcreParseTest25);
     UtRegisterTest("DetectPcreParseTest26", DetectPcreParseTest26);
     UtRegisterTest("DetectPcreParseTest27", DetectPcreParseTest27);
+    UtRegisterTest("DetectPcreParseTest28", DetectPcreParseTest28);
 
     UtRegisterTest("DetectPcreTestSig01 -- pcre test", DetectPcreTestSig01);
     UtRegisterTest("DetectPcreTestSig02 -- pcre test", DetectPcreTestSig02);