Bug #4403
closedUse after free or read overflow or use of unitized memory in TransformStripWhitespace called by HttpServerBodyXformsGetDataCallback
Description
Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31987
The issue was created a day after this hit master https://github.com/OISF/suricata/pull/5932
The bug may be changing int to int16 in
https://github.com/OISF/suricata/pull/5932/commits/975062cf401f79c00abf728d923c65aabd143af2#diff-99eda33658bd0778da7bf89acbb4e7bbdb9ce82b0ab93486e1643691925f4091L600
Files
Updated by Philippe Antoine over 3 years ago
Generating a lot of signatures with different tranforms (see attached script), I got
5795ERROR: AddressSanitizer: global-buffer-overflow on address 0x00010cca04e2 at pc 0x00010c39e886 bp 0x7ffee397ebb0 sp 0x7ffee397eba8
WRITE of size 1 at 0x00010cca04e2 thread T0
#0 0x10c39e885 in EngineAnalysisRules detect-engine-analyzer.c:1045
Updated by Victor Julien over 3 years ago
- Status changed from New to Assigned
- Priority changed from Normal to High
Updated by Philippe Antoine over 3 years ago
No.
It looks like it is still happening unreproducibly...
I thought it was the multibuffer bug but it still happens...
I will dig again into that
Updated by Philippe Antoine over 3 years ago
So, I guess the problem is indeed changing int to int16 in
https://github.com/OISF/suricata/pull/5932/commits/975062cf401f79c00abf728d923c65aabd143af2#diff-99eda33658bd0778da7bf89acbb4e7bbdb9ce82b0ab93486e1643691925f4091L600
We have DetectAppLayerMpmRegisterByParentId
that will set am->sm_list = id;
with id being a parameter of the function set in DetectBufferTypeGetByIdTransforms
by map->id = de_ctx->buffer_type_id++;
and buffer_type_id
can increase over UINT16_MAX
So, I would suggest first adding some DEBUG_VALIDATE_BUG_ON(id < 0 || id > UINT16_MAX);
Updated by Philippe Antoine over 3 years ago
- Status changed from Assigned to In Review
Updated by Philippe Antoine over 3 years ago
- Status changed from In Review to Closed
Duplicate of #4681 which got put by oss-fuzz tracker