From: Philippe Antoine <contact@catenacyber.fr>
Date: Thu, 23 Jul 2020 09:26:16 +0000 (+0200)
Subject: signature: checks for integer overflow in limits propagation
X-Git-Tag: suricata-6.0.0-beta1~78
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a99ad4c1e4251c8a4a667d613ccb1fb334a9b268;p=thirdparty%2Fsuricata.git

signature: checks for integer overflow in limits propagation
---

diff --git a/src/detect-content.c b/src/detect-content.c
index dbd72fc046..baa63053db 100644
--- a/src/detect-content.c
+++ b/src/detect-content.c
@@ -499,7 +499,11 @@ void DetectContentPropagateLimits(Signature *s)
                     SCLogDebug("stored: offset %u depth %u offset_plus_pat %u", offset, depth, offset_plus_pat);
 
                     if (cd->flags & DETECT_CONTENT_DISTANCE && cd->distance >= 0) {
-                        offset = cd->offset = offset_plus_pat + cd->distance;
+                        if ((uint32_t)offset_plus_pat + cd->distance <= UINT16_MAX) {
+                            offset = cd->offset = offset_plus_pat + cd->distance;
+                        } else {
+                            SCLogDebug("not updated content offset as it would overflow : %u + %d", offset_plus_pat, cd->distance);
+                        }
                         SCLogDebug("updated content to have offset %u", cd->offset);
                     }
                     if (have_anchor && !last_reset && offset_plus_pat && cd->flags & DETECT_CONTENT_WITHIN && cd->within >= 0) {