From: Andreas Herz <andi@geekosphere.org>
Date: Sat, 4 Jun 2016 22:48:38 +0000 (+0200)
Subject: detect-filemagic: fix heap-use-after-free
X-Git-Tag: suricata-3.1RC1~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2138%2Fhead;p=thirdparty%2Fsuricata.git

detect-filemagic: fix heap-use-after-free

This fixes the heap-use-after-free issue with sm being freed without
being removed from the signature (s) list. Move the protocol check for
rules with filemagic before the alloc and make the error log more
precise.
---

diff --git a/src/detect-filemagic.c b/src/detect-filemagic.c
index 6ca7b6cd43..26fcd44390 100644
--- a/src/detect-filemagic.c
+++ b/src/detect-filemagic.c
@@ -338,6 +338,11 @@ static int DetectFilemagicSetup (DetectEngineCtx *de_ctx, Signature *s, char *st
     DetectFilemagicData *filemagic = NULL;
     SigMatch *sm = NULL;
 
+    if (s->alproto != ALPROTO_HTTP && s->alproto != ALPROTO_SMTP) {
+        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rules with filemagic need to have protocol set to http or smtp.");
+        goto error;
+    }
+
     filemagic = DetectFilemagicParse(str);
     if (filemagic == NULL)
         goto error;
@@ -359,11 +364,6 @@ static int DetectFilemagicSetup (DetectEngineCtx *de_ctx, Signature *s, char *st
 
     SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_FILEMATCH);
 
-    if (s->alproto != ALPROTO_HTTP && s->alproto != ALPROTO_SMTP) {
-        SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
-        goto error;
-    }
-
     if (s->alproto == ALPROTO_HTTP) {
         AppLayerHtpNeedFileInspection();
     }