From: Victor Julien <victor@inliniac.net>
Date: Tue, 28 Nov 2017 09:28:07 +0000 (+0100)
Subject: detect/depth: reject rules with depth smaller than content
X-Git-Tag: suricata-4.0.2~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F3029%2Fhead;p=thirdparty%2Fsuricata.git

detect/depth: reject rules with depth smaller than content
---

diff --git a/src/detect-depth.c b/src/detect-depth.c
index b65821bb41..3c8af60462 100644
--- a/src/detect-depth.c
+++ b/src/detect-depth.c
@@ -113,6 +113,12 @@ static int DetectDepthSetup (DetectEngineCtx *de_ctx, Signature *s, const char *
                       "invalid value for depth: %s", str);
             goto end;
         }
+
+        if (cd->depth < cd->content_len) {
+            SCLogError(SC_ERR_INVALID_SIGNATURE, "depth:%u smaller than "
+                   "content of len %u", cd->depth, cd->content_len);
+            return -1;
+        }
         /* Now update the real limit, as depth is relative to the offset */
         cd->depth += cd->offset;
     }