From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Tue, 28 Mar 2023 14:24:57 +0000 (-0400)
Subject: detect/byte_math: fix bug in byte_math detection
X-Git-Tag: suricata-6.0.11~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a7fbfd572c6ff595f606aef59b67a0a266d15c5a;p=thirdparty%2Fsuricata.git

detect/byte_math: fix bug in byte_math detection

Issue: 5945

Avoid division by zero when the byte_math operation is division and the
rvalue is 0.

(cherry picked from commit 38c5e89e2959fcb22994ac4b232c7c298dd7d699)
---

diff --git a/src/detect-bytemath.c b/src/detect-bytemath.c
index 83593110b7..5acd354c13 100644
--- a/src/detect-bytemath.c
+++ b/src/detect-bytemath.c
@@ -208,7 +208,6 @@ int DetectByteMathDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *sm
     BUG_ON(extbytes > len);
 
     ptr += extbytes;
-    det_ctx->buffer_offset = ptr - payload;
 
     switch (data->oper) {
         case DETECT_BYTEMATH_OPERATOR_NONE:
@@ -220,6 +219,10 @@ int DetectByteMathDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *sm
             val -= rvalue;
             break;
         case DETECT_BYTEMATH_OPERATOR_DIVIDE:
+            if (rvalue == 0) {
+                SCLogDebug("avoiding division by zero");
+                return 0;
+            }
             val /= rvalue;
             break;
         case DETECT_BYTEMATH_OPERATOR_MULTIPLY:
@@ -237,6 +240,8 @@ int DetectByteMathDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *sm
             break;
     }
 
+    det_ctx->buffer_offset = ptr - payload;
+
     if (data->flags & DETECT_BYTEMATH_FLAG_BITMASK) {
         val &= data->bitmask_val;
         if (val && data->bitmask_shift_count) {
@@ -1194,7 +1199,7 @@ static int DetectByteMathPacket02(void)
 
     /*
      * byte_extract: Extract 1 byte from offset 0 --> 0x38
-     * byte_math: Extract 1 byte from offset 1 (0x38)
+     * byte_math: Extract 1 byte from offset -1 (0x38)
      *            Add 0x38 + 0x38 = 112 (0x70)
      * byte_test: Compare 2 bytes at offset 13 bytes from last
      *            match and compare with 0x70
@@ -1329,7 +1334,7 @@ static void DetectByteMathRegisterTests(void)
     UtRegisterTest("DetectByteMathParseTest14", DetectByteMathParseTest14);
     UtRegisterTest("DetectByteMathParseTest15", DetectByteMathParseTest15);
     UtRegisterTest("DetectByteMathParseTest16", DetectByteMathParseTest16);
-    UtRegisterTest("DetectByteMathPacket01",    DetectByteMathPacket01);
+    UtRegisterTest("DetectByteMathPacket01", DetectByteMathPacket01);
     UtRegisterTest("DetectByteMathPacket02", DetectByteMathPacket02);
     UtRegisterTest("DetectByteMathContext01", DetectByteMathContext01);
 }