From: Philippe Antoine <contact@catenacyber.fr>
Date: Thu, 23 Jul 2020 09:26:16 +0000 (+0200)
Subject: signature: checks for integer overflow in limits propagation
X-Git-Tag: suricata-5.0.4~35
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=840a0de0b7e4341007960f29c822b1201f9ab453;p=thirdparty%2Fsuricata.git

signature: checks for integer overflow in limits propagation

(cherry picked from commit 61c327dd80f02484481cbea6d48168063ae90a69)
---

diff --git a/src/detect-content.c b/src/detect-content.c
index 8f7ddea461..2217943d7f 100644
--- a/src/detect-content.c
+++ b/src/detect-content.c
@@ -545,7 +545,11 @@ void DetectContentPropagateLimits(Signature *s)
                             (cd->flags & (DETECT_CONTENT_DEPTH|DETECT_CONTENT_OFFSET|DETECT_CONTENT_WITHIN|DETECT_CONTENT_DISTANCE)) == (DETECT_CONTENT_DISTANCE)) {
                         if (cd->distance >= 0) {
                             // only distance
-                            offset = cd->offset = offset_plus_pat + cd->distance;
+                            if ((uint32_t)offset_plus_pat + cd->distance <= UINT16_MAX) {
+                                offset = cd->offset = offset_plus_pat + cd->distance;
+                            } else {
+                                SCLogDebug("not updated content offset as it would overflow : %u + %d", offset_plus_pat, cd->distance);
+                            }
                             offset_plus_pat = offset + cd->content_len;
                             SCLogDebug("offset %u offset_plus_pat %u", offset, offset_plus_pat);
                         }
@@ -710,6 +714,8 @@ static int DetectContentDepthTest01(void)
     // hi end: depth '13' (4+9) + distance 55 = 68 + within 2 = 70
     TEST_RUN("content:\"=\"; offset:4; depth:9; content:\"=&\"; distance:55; within:2;", 60, 70);
 
+    TEST_RUN("content:\"0123456789\"; content:\"abcdef\"; distance:2147483647;", 10, 0);
+
     TEST_DONE;
 }