From: Anoop Saldanha Date: Mon, 23 Sep 2013 09:53:12 +0000 (+0530) Subject: fix for bug #970. X-Git-Tag: suricata-2.0beta2~344 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d2ea799d38ab37fb143c030fd14ee571d335f4e8;p=thirdparty%2Fsuricata.git fix for bug #970. Content strings that are a duplicate of a pattern from another sig, but have a fast_pattern chop being applied, would end up being assigned the same pattern id as the duplicate string. But the string supplied to the mpm would be the chopped string, which might result in the state_table output_state content entry being over-riden by the the fuller string at the final state of the smaller content length, because of which during a match we might end up inspecting the search buffer against the fuller content pattern, instead of the chopped pattern, which would end up being an inspection beyond the buffer bounds. --- diff --git a/src/util-mpm-ac.c b/src/util-mpm-ac.c index 5059365a95..463374cba2 100644 --- a/src/util-mpm-ac.c +++ b/src/util-mpm-ac.c @@ -1271,6 +1271,8 @@ uint32_t SCACSearch(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, uint32_t k; for (k = 0; k < no_of_entries; k++) { if (pids[k] & 0xFFFF0000) { + if ((i + 1) < pid_pat_list[pids[k] & 0x0000FFFF].patlen) + continue; if (SCMemcmp(pid_pat_list[pids[k] & 0x0000FFFF].cs, buf + i - pid_pat_list[pids[k] & 0x0000FFFF].patlen + 1, pid_pat_list[pids[k] & 0x0000FFFF].patlen) != 0) { @@ -1312,6 +1314,8 @@ uint32_t SCACSearch(MpmCtx *mpm_ctx, MpmThreadCtx *mpm_thread_ctx, uint32_t k; for (k = 0; k < no_of_entries; k++) { if (pids[k] & 0xFFFF0000) { + if ((i + 1) < pid_pat_list[pids[k] & 0x0000FFFF].patlen) + continue; if (SCMemcmp(pid_pat_list[pids[k] & 0x0000FFFF].cs, buf + i - pid_pat_list[pids[k] & 0x0000FFFF].patlen + 1, pid_pat_list[pids[k] & 0x0000FFFF].patlen) != 0) {