detect: tcp.flags rejects non-sensical values

author Philippe Antoine <pantoine@oisf.net>

Thu, 16 Oct 2025 11:04:22 +0000 (13:04 +0200)

committer Victor Julien <victor@inliniac.net>

Fri, 17 Oct 2025 16:17:24 +0000 (18:17 +0200)
author Philippe Antoine <pantoine@oisf.net>
Thu, 16 Oct 2025 11:04:22 +0000 (13:04 +0200)
committer Victor Julien <victor@inliniac.net>
Fri, 17 Oct 2025 16:17:24 +0000 (18:17 +0200)
diff --git a/rust/src/detect/tcp.rs b/rust/src/detect/tcp.rs

index d77e4852c740e67295d4a5fdc074c08a95355958..c52c1081ca9d7a015afc8718a50af63f1d264564 100644 (file)
--- a/rust/src/detect/tcp.rs
+++ b/rust/src/detect/tcp.rs
@@ -64,6 +64,10 @@ pub fn tcp_flags_parse(s: &str) -> Option<DetectUintData<u8>> {
                  SCLogError!("Too many commas");
                  return None;
              }
+            if modifier != DetectBitflagModifier::Equal {
+                SCLogError!("Ignored flags are only meaningful with equal mode");
+                return None;
+            }
              ignoring = true;
          } else if let Some(enum_val) = TcpFlag::from_str(vals) {
              let val = enum_val.into_u();
@@ -142,5 +146,9 @@ mod test {
          assert!(tcp_flags_parse("+S*").is_none());
          let ctx = tcp_flags_parse("CE").unwrap();
          assert_eq!(ctx.arg2, 0xC0);
+        assert!(tcp_flags_parse("A,A").is_none());
+        assert!(tcp_flags_parse("+A,U").is_none());
+        assert!(tcp_flags_parse("*A,U").is_none());
+        assert!(tcp_flags_parse("-A,U").is_none());
      }
  }
author	Philippe Antoine <pantoine@oisf.net>
	Thu, 16 Oct 2025 11:04:22 +0000 (13:04 +0200)
committer	Victor Julien <victor@inliniac.net>
	Fri, 17 Oct 2025 16:17:24 +0000 (18:17 +0200)