From: Victor Julien <victor@inliniac.net>
Date: Sat, 21 Oct 2017 08:16:30 +0000 (+0200)
Subject: detect: handle very large byte_extract'ed values in isdataat
X-Git-Tag: suricata-4.0.2~26
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=77c39b20f8f44adfd0a4ed68e49094016ab6c012;p=thirdparty%2Fsuricata.git

detect: handle very large byte_extract'ed values in isdataat
---

diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c
index d6e355b2e3..ef878b2f65 100644
--- a/src/detect-engine-content-inspection.c
+++ b/src/detect-engine-content-inspection.c
@@ -365,7 +365,16 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
         const DetectIsdataatData *id = (DetectIsdataatData *)smd->ctx;
         uint32_t dataat = id->dataat;
         if (id->flags & ISDATAAT_OFFSET_BE) {
-            dataat = det_ctx->bj_values[dataat];
+            uint64_t be_value = det_ctx->bj_values[dataat];
+            if (be_value >= 100000000) {
+                if ((id->flags & ISDATAAT_NEGATED) == 0) {
+                    SCLogDebug("extracted value %"PRIu64" very big: no match", be_value);
+                    goto no_match;
+                }
+                SCLogDebug("extracted value way %"PRIu64" very big: match", be_value);
+                goto match;
+            }
+            dataat = (uint32_t)be_value;
             SCLogDebug("isdataat: using value %u from byte_extract local_id %u", dataat, id->dataat);
         }