From f57c11df3fc1c60bf6e89e180f874db31f5129d7 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Wed, 7 Dec 2022 10:20:06 -0500 Subject: [PATCH] content: Constrain distance/within values Ticket: 5740 This commit constrains the values for distance and limit to 1MB. The constraint is enforced while parsing the keyword values. --- src/detect-content.c | 2 +- src/detect-content.h | 5 +++++ src/detect-distance.c | 3 ++- src/detect-within.c | 3 ++- 4 files changed, 10 insertions(+), 3 deletions(-) diff --git a/src/detect-content.c b/src/detect-content.c index aec5f631f8..891eee523a 100644 --- a/src/detect-content.c +++ b/src/detect-content.c @@ -863,7 +863,7 @@ static int DetectContentDepthTest01(void) TEST_RUN("content:\"=\"; offset:4; depth:9; content:\"=&\"; distance:55; within:2;", 60, 70); // distance value is too high so we bail and not set anything on this content - TEST_RUN("content:\"0123456789\"; content:\"abcdef\"; distance:2147483647;", 0, 0); + TEST_RUN("content:\"0123456789\"; content:\"abcdef\"; distance:1048576;", 0, 0); // Bug #5162. TEST_RUN("content:\"SMB\"; depth:8; content:\"|09 00|\"; distance:8; within:2;", 11, 18); diff --git a/src/detect-content.h b/src/detect-content.h index 3f1fc35e00..ae179ad076 100644 --- a/src/detect-content.h +++ b/src/detect-content.h @@ -82,6 +82,11 @@ ((c)->flags & DETECT_CONTENT_OFFSET) || \ ((c)->flags & DETECT_CONTENT_FAST_PATTERN_CHOP)) +/* + * Values for distance, and within must be less than or equal + * to this value (absolute value where required). + */ +#define DETECT_CONTENT_VALUE_MAX 1024 * 1024 #include "util-spm.h" diff --git a/src/detect-distance.c b/src/detect-distance.c index 748a0fe1e2..51027d1f1a 100644 --- a/src/detect-distance.c +++ b/src/detect-distance.c @@ -117,7 +117,8 @@ static int DetectDistanceSetup (DetectEngineCtx *de_ctx, Signature *s, cd->distance = index; cd->flags |= DETECT_CONTENT_DISTANCE_VAR; } else { - if (StringParseInt32(&cd->distance, 0, 0, str) < 0) { + if ((StringParseI32RangeCheck(&cd->distance, 0, 0, str, -DETECT_CONTENT_VALUE_MAX, + DETECT_CONTENT_VALUE_MAX) < 0)) { SCLogError("invalid value for distance: %s", str); return -1; } diff --git a/src/detect-within.c b/src/detect-within.c index 799f1ed2a6..91662e070f 100644 --- a/src/detect-within.c +++ b/src/detect-within.c @@ -113,7 +113,8 @@ static int DetectWithinSetup(DetectEngineCtx *de_ctx, Signature *s, const char * cd->within = index; cd->flags |= DETECT_CONTENT_WITHIN_VAR; } else { - if (StringParseInt32(&cd->within, 0, 0, str) < 0) { + if ((StringParseI32RangeCheck(&cd->within, 0, 0, str, -DETECT_CONTENT_VALUE_MAX, + DETECT_CONTENT_VALUE_MAX) < 0)) { SCLogError("invalid value for within: %s", str); return -1; } -- 2.47.2