Bug #1843
closedMpm Ac: int overflow during init
Description
SCRealloc failed: Cannot allocate memory, while trying to allocate 18446744071562067968 bytes
in fuction SCACBSInitNewState
static inline int SCACBSInitNewState(MpmCtx *mpm_ctx) { void *ptmp; SCACBSCtx *ctx = (SCACBSCtx *)mpm_ctx->ctx; int ascii_code = 0; int size = 0; /* reallocate space in the goto table to include a new state */ size = (ctx->state_count + 1) * ctx->single_state_size; ptmp = SCRealloc(ctx->goto_table, size); //==========================================================================
size is a int
but (ctx->state_count + 1) * ctx->single_state_size; is a unsigned int
when the size > 2G
size is overflow
Updated by Victor Julien over 8 years ago
What kind of rules do you use to get this issue?
Updated by i3 here over 8 years ago
Victor Julien wrote:
What kind of rules do you use to get this issue?
like this. the number of 36,000.
alert http any any -> any any (msg:"xxxxxxxxxxxxxxxx"; content:"|6F 88 6E 0D 60 69 88 66 6C 83 60 66 82 49 6E 63 68 02 60 0A 64 66 88 84 48 66 69 68 68 84 02 0C 00 06 64 60 61 6E 66 6C 06 60 61 6E 66 6C 31 04 4C 66 66 84 02 00 03 64 6F 80 02 00 06 68 69 64 84 68 02 29 06 48 66 69 68 68 84 02 29 08 64 61 62 4F 82 64 66 82 02 00 00 00 0C 64 49 64 64 43 60 43 6C 69 66 6E 84 11 41 86 84 4C 6F 68 69 6E 64 43 60 43 6C 69 66 6E 84 0D 4D 61 88 4C 69 6E|"; classtype:trojan-activity; sid:600000021; rev:1;)
Updated by Peter Manev over 8 years ago
The err msg is the same as reported in - https://redmine.openinfosecfoundation.org/issues/1827. Would it be related?
Updated by Andreas Herz over 8 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Victor Julien almost 8 years ago
- Status changed from New to Closed
- Assignee changed from OISF Dev to Sascha Steinbiss
- Target version changed from TBD to 3.2.1
Updated by Victor Julien almost 8 years ago
- Subject changed from suricata int overflow to Mpm Ac: int overflow during init