detect/frames: fix crash when parsing bad rule

Indexing of Signature::init_data::smlists would fail for a rule that
used a frame w/o content, as the array would only be expanded when
adding a content. Adding a check to see if there list id is in bounds
is an implicit check for the "no content" case.

Bug #5011.

diff --git a/src/detect-parse.c b/src/detect-parse.c
index 5df5c54ed7c0556bb37afbd06e3b7bac652b1bfe..e3cb589729b26ba0a18ae35b0bda801b4a31489c 100644 (file)
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -1672,7 +1672,8 @@ static int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
     /* check for sticky buffers that were set w/o matches
      * e.g. alert ... (file_data; sid:1;) */
     if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
-        if (s->init_data->smlists[s->init_data->list] == NULL) {
+        if (s->init_data->list >= (int)s->init_data->smlists_array_size ||
+                s->init_data->smlists[s->init_data->list] == NULL) {
             SCLogError(SC_ERR_INVALID_SIGNATURE,
                     "rule %u setup buffer %s but didn't add matches to it", s->id,
                     DetectEngineBufferTypeGetNameById(de_ctx, s->init_data->list));