From: Philippe Antoine <contact@catenacyber.fr>
Date: Wed, 14 Oct 2020 19:25:40 +0000 (+0200)
Subject: detect: null sanity checks for pkthdr
X-Git-Tag: suricata-5.0.5~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e1501231d7cb34766d5ed9d8dd716aa218d3491d;p=thirdparty%2Fsuricata.git

detect: null sanity checks for pkthdr

Even when the rules are only applied on traffic with the protocol
the structure for the protocol header can be set to NULL if there
was an error parsing the header
---

diff --git a/src/detect-ipv4hdr.c b/src/detect-ipv4hdr.c
index f963cd1a48..87b29c5aef 100644
--- a/src/detect-ipv4hdr.c
+++ b/src/detect-ipv4hdr.c
@@ -100,6 +100,10 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
 
     InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
     if (buffer->inspect == NULL) {
+        if (p->ip4h == NULL) {
+            // DETECT_PROTO_IPV4 does not prefilter
+            return NULL;
+        }
         uint32_t hlen = IPV4_GET_HLEN(p);
         if (((uint8_t *)p->ip4h + (ptrdiff_t)hlen) >
                 ((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p)))
diff --git a/src/detect-ipv6hdr.c b/src/detect-ipv6hdr.c
index 4a94ffbed6..ea88b589ad 100644
--- a/src/detect-ipv6hdr.c
+++ b/src/detect-ipv6hdr.c
@@ -100,6 +100,10 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
 
     InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
     if (buffer->inspect == NULL) {
+        if (p->ip6h == NULL) {
+            // DETECT_PROTO_IPV6 does not prefilter
+            return NULL;
+        }
         uint32_t hlen = IPV6_HEADER_LEN + IPV6_GET_EXTHDRS_LEN(p);
         if (((uint8_t *)p->ip6h + (ptrdiff_t)hlen) >
                 ((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p)))
diff --git a/src/detect-tcphdr.c b/src/detect-tcphdr.c
index 30a3c828fd..3b0cde3f31 100644
--- a/src/detect-tcphdr.c
+++ b/src/detect-tcphdr.c
@@ -101,6 +101,11 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
 
     InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
     if (buffer->inspect == NULL) {
+        if (p->tcph == NULL) {
+            // may happen when DecodeTCPPacket fails
+            // for instance with invalid header length
+            return NULL;
+        }
         uint32_t hlen = TCP_GET_HLEN(p);
         if (((uint8_t *)p->tcph + (ptrdiff_t)hlen) >
                 ((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p)))
diff --git a/src/detect-udphdr.c b/src/detect-udphdr.c
index 6054193f96..a8900048be 100644
--- a/src/detect-udphdr.c
+++ b/src/detect-udphdr.c
@@ -99,6 +99,9 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
 
     InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
     if (buffer->inspect == NULL) {
+        if (p->udph == NULL) {
+            return NULL;
+        }
         if (((uint8_t *)p->udph + (ptrdiff_t)UDP_HEADER_LEN) >
                 ((uint8_t *)GET_PKT_DATA(p) + (ptrdiff_t)GET_PKT_LEN(p)))
         {