From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Wed, 7 Dec 2022 15:20:06 +0000 (-0500)
Subject: content: Constrain distance/within values
X-Git-Tag: suricata-7.0.0-rc2~493
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f57c11df3fc1c60bf6e89e180f874db31f5129d7;p=thirdparty%2Fsuricata.git

content: Constrain distance/within values

Ticket: 5740

This commit constrains the values for distance and limit to 1MB. The
constraint is enforced while parsing the keyword values.
---

diff --git a/src/detect-content.c b/src/detect-content.c
index aec5f631f8..891eee523a 100644
--- a/src/detect-content.c
+++ b/src/detect-content.c
@@ -863,7 +863,7 @@ static int DetectContentDepthTest01(void)
     TEST_RUN("content:\"=\"; offset:4; depth:9; content:\"=&\"; distance:55; within:2;", 60, 70);
 
     // distance value is too high so we bail and not set anything on this content
-    TEST_RUN("content:\"0123456789\"; content:\"abcdef\"; distance:2147483647;", 0, 0);
+    TEST_RUN("content:\"0123456789\"; content:\"abcdef\"; distance:1048576;", 0, 0);
 
     // Bug #5162.
     TEST_RUN("content:\"SMB\"; depth:8; content:\"|09 00|\"; distance:8; within:2;", 11, 18);
diff --git a/src/detect-content.h b/src/detect-content.h
index 3f1fc35e00..ae179ad076 100644
--- a/src/detect-content.h
+++ b/src/detect-content.h
@@ -82,6 +82,11 @@
                                        ((c)->flags & DETECT_CONTENT_OFFSET)   || \
                                        ((c)->flags & DETECT_CONTENT_FAST_PATTERN_CHOP))
 
+/*
+ * Values for distance, and within must be less than or equal
+ * to this value (absolute value where required).
+ */
+#define DETECT_CONTENT_VALUE_MAX 1024 * 1024
 
 #include "util-spm.h"
 
diff --git a/src/detect-distance.c b/src/detect-distance.c
index 748a0fe1e2..51027d1f1a 100644
--- a/src/detect-distance.c
+++ b/src/detect-distance.c
@@ -117,7 +117,8 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s,
         cd->distance = index;
         cd->flags |= DETECT_CONTENT_DISTANCE_VAR;
     } else {
-        if (StringParseInt32(&cd->distance, 0, 0, str) < 0) {
+        if ((StringParseI32RangeCheck(&cd->distance, 0, 0, str, -DETECT_CONTENT_VALUE_MAX,
+                     DETECT_CONTENT_VALUE_MAX) < 0)) {
             SCLogError("invalid value for distance: %s", str);
             return -1;
         }
diff --git a/src/detect-within.c b/src/detect-within.c
index 799f1ed2a6..91662e070f 100644
--- a/src/detect-within.c
+++ b/src/detect-within.c
@@ -113,7 +113,8 @@ static int DetectWithinSetup(DetectEngineCtx *de_ctx, Signature *s, const char *
         cd->within = index;
         cd->flags |= DETECT_CONTENT_WITHIN_VAR;
     } else {
-        if (StringParseInt32(&cd->within, 0, 0, str) < 0) {
+        if ((StringParseI32RangeCheck(&cd->within, 0, 0, str, -DETECT_CONTENT_VALUE_MAX,
+                     DETECT_CONTENT_VALUE_MAX) < 0)) {
             SCLogError("invalid value for within: %s", str);
             return -1;
         }