From 36e4126227f6ca0695ec8b9553961e536d1dc816 Mon Sep 17 00:00:00 2001 From: Andreas Herz Date: Sun, 5 Jun 2016 00:48:38 +0200 Subject: [PATCH] detect-filemagic: fix heap-use-after-free This fixes the heap-use-after-free issue with sm being freed without being removed from the signature (s) list. Move the protocol check for rules with filemagic before the alloc and make the error log more precise. --- src/detect-filemagic.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/detect-filemagic.c b/src/detect-filemagic.c index 6ca7b6cd43..26fcd44390 100644 --- a/src/detect-filemagic.c +++ b/src/detect-filemagic.c @@ -338,6 +338,11 @@ static int DetectFilemagicSetup (DetectEngineCtx *de_ctx, Signature *s, char *st DetectFilemagicData *filemagic = NULL; SigMatch *sm = NULL; + if (s->alproto != ALPROTO_HTTP && s->alproto != ALPROTO_SMTP) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rules with filemagic need to have protocol set to http or smtp."); + goto error; + } + filemagic = DetectFilemagicParse(str); if (filemagic == NULL) goto error; @@ -359,11 +364,6 @@ static int DetectFilemagicSetup (DetectEngineCtx *de_ctx, Signature *s, char *st SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_FILEMATCH); - if (s->alproto != ALPROTO_HTTP && s->alproto != ALPROTO_SMTP) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); - goto error; - } - if (s->alproto == ALPROTO_HTTP) { AppLayerHtpNeedFileInspection(); } -- 2.47.2