From: Jason Ish <jason.ish@oisf.net>
Date: Fri, 26 Jun 2020 17:45:38 +0000 (-0600)
Subject: file-hash-common: fix rule_file truncation
X-Git-Tag: suricata-6.0.0-beta1~316
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b8d1677b9ce25a2fe2e1d275518613f9c7a45548;p=thirdparty%2Fsuricata.git

file-hash-common: fix rule_file truncation

Loading file hash lists uses dirname(3) on the
de_ctx->rule_file which modifies the contents,
removing the last part of the path. So on subsequent
calls the rule_file no longer contains the rule_file,
but instead just the directory name.

Mostly noticed when using "-S" with rule files outside
of the default-rule-path which requires more hunting for
the rule file.
---

diff --git a/src/detect-file-hash-common.c b/src/detect-file-hash-common.c
index f39d9a983c..cdd766bc23 100644
--- a/src/detect-file-hash-common.c
+++ b/src/detect-file-hash-common.c
@@ -202,6 +202,7 @@ static DetectFileHashData *DetectFileHashParse (const DetectEngineCtx *de_ctx,
     DetectFileHashData *filehash = NULL;
     FILE *fp = NULL;
     char *filename = NULL;
+    char *rule_filename = NULL;
 
     /* We have a correct hash algorithm option */
     filehash = SCMalloc(sizeof(DetectFileHashData));
@@ -235,12 +236,17 @@ static DetectFileHashData *DetectFileHashParse (const DetectEngineCtx *de_ctx,
         goto error;
     }
 
+    rule_filename = SCStrdup(de_ctx->rule_file);
+    if (rule_filename == NULL) {
+        goto error;
+    }
+
     char line[8192] = "";
     fp = fopen(filename, "r");
     if (fp == NULL) {
 #ifdef HAVE_LIBGEN_H
         if (de_ctx->rule_file != NULL) {
-            char *dir = dirname(de_ctx->rule_file);
+            char *dir = dirname(rule_filename);
             if (dir != NULL) {
                 char path[PATH_MAX];
                 snprintf(path, sizeof(path), "%s/%s", dir, str);
@@ -287,6 +293,7 @@ static DetectFileHashData *DetectFileHashParse (const DetectEngineCtx *de_ctx,
     }
     SCLogInfo("Hash hash table size %u bytes%s", ROHashMemorySize(filehash->hash), filehash->negated ? ", negated match" : "");
 
+    SCFree(rule_filename);
     SCFree(filename);
     return filehash;
 
@@ -297,6 +304,9 @@ error:
         fclose(fp);
     if (filename != NULL)
         SCFree(filename);
+    if (rule_filename != NULL) {
+        SCFree(rule_filename);
+    }
     return NULL;
 }