From: Victor Julien <vjulien@oisf.net>
Date: Mon, 24 Jan 2022 22:30:51 +0000 (+0100)
Subject: detect/frames: fix crash when parsing bad rule
X-Git-Tag: suricata-7.0.0-beta1~981
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e902aaf838acb552350078070092a2c61b918b19;p=thirdparty%2Fsuricata.git

detect/frames: fix crash when parsing bad rule

Indexing of Signature::init_data::smlists would fail for a rule that
used a frame w/o content, as the array would only be expanded when
adding a content. Adding a check to see if there list id is in bounds
is an implicit check for the "no content" case.

Bug #5011.
---

diff --git a/src/detect-parse.c b/src/detect-parse.c
index 5df5c54ed7..e3cb589729 100644
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -1672,7 +1672,8 @@ static int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
     /* check for sticky buffers that were set w/o matches
      * e.g. alert ... (file_data; sid:1;) */
     if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
-        if (s->init_data->smlists[s->init_data->list] == NULL) {
+        if (s->init_data->list >= (int)s->init_data->smlists_array_size ||
+                s->init_data->smlists[s->init_data->list] == NULL) {
             SCLogError(SC_ERR_INVALID_SIGNATURE,
                     "rule %u setup buffer %s but didn't add matches to it", s->id,
                     DetectEngineBufferTypeGetNameById(de_ctx, s->init_data->list));