From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 25 Jun 2024 12:27:24 +0000 (+0200)
Subject: fuzz/detect: forbid rule with pcre only on stream
X-Git-Tag: suricata-8.0.0-beta1~793
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F11958%2Fhead;p=thirdparty%2Fsuricata.git

fuzz/detect: forbid rule with pcre only on stream

to avoid fuzzing blocks on timeouts with known bad rules

Ticket: 4858
---

diff --git a/src/detect-content.c b/src/detect-content.c
index 6d3852ecc5..9625e7426d 100644
--- a/src/detect-content.c
+++ b/src/detect-content.c
@@ -453,6 +453,25 @@ void SigParseRequiredContentSize(
  */
 bool DetectContentPMATCHValidateCallback(const Signature *s)
 {
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+    bool has_pcre = false;
+    bool has_content = false;
+    for (SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH]; sm != NULL; sm = sm->next) {
+        if (sm->type == DETECT_PCRE) {
+            has_pcre = true;
+        } else if (sm->type == DETECT_CONTENT) {
+            has_content = true;
+            break;
+        }
+    }
+    if (has_pcre && !has_content) {
+        // Fuzzing does not allow rules with pcre and without content on payload
+        // as it is known to be a bad rule for performance causing possible timeouts
+        // Engine analysis has more generic warn_pcre_no_content about this
+        return false;
+    }
+#endif
+
     if (!(s->flags & SIG_FLAG_DSIZE)) {
         return true;
     }