Project

General

Profile

Actions

Security #7526

closed

detect: infinite loop in DetectEngineContentInspectionInternal with negated pcre

Added by Philippe Antoine 5 months ago. Updated 1 day ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
Git IDs:
Severity:
HIGH
Disclosure Date:
04/28/2025

Description

Found by oss-fuzz
https://issues.oss-fuzz.com/u/1/issues/392180063

Reproducer rule is alert ip any any -> any any (pcre:!/weak"/.*bC/"; byte_extract:1,4,rpkt_len,relative; byte_jump:rpkt_len,0,relative; sid:1;


Files

infu.pcap (972 Bytes) infu.pcap Philippe Antoine, 01/28/2025 01:50 PM

Subtasks 1 (0 open1 closed)

Security #7527: detect: infinite loop with negated pcre and indefinite recursion limit setting (7.0.x backport)ClosedPhilippe AntoineActions
Actions #1

Updated by OISF Ticketbot 5 months ago

  • Subtask #7527 added
Actions #2

Updated by OISF Ticketbot 5 months ago

  • Label deleted (Needs backport to 7.0)
Actions #3

Updated by Philippe Antoine 5 months ago

diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c
index dbc18c2980..8bf548c81f 100644
--- a/src/detect-engine-content-inspection.c
+++ b/src/detect-engine-content-inspection.c
@@ -478,6 +478,9 @@ static int DetectEngineContentInspectionInternal(DetectEngineThreadCtx *det_ctx,
                 SCReturnInt(-1);
             }

+            if (prev_offset == 0) {
+                SCReturnInt(-1);
+            }
             det_ctx->buffer_offset = prev_buffer_offset;
             det_ctx->pcre_match_start_offset = prev_offset;
         } while (1);

Fix without understanding the sig

Actions #4

Updated by Philippe Antoine 5 months ago

Here is the pcap to reproduce

I think the root cause is negated pcre not increasing pcre_match_start_offset

Actions #5

Updated by Philippe Antoine 5 months ago

  • Status changed from New to In Review
  • Assignee changed from OISF Dev to Philippe Antoine

Gitlab

Actions #6

Updated by Philippe Antoine 5 months ago

jq '.. | objects | select(.pcre and .pcre.relative_next and .pcre.negated)' rules.json on engine-analysis output tells if a rule is vulnerable

Actions #7

Updated by Philippe Antoine 5 months ago

  • Subject changed from detect: infinite loop in DetectEngineContentInspectionInternal to detect: infinite loop in DetectEngineContentInspectionInternal with negated pcre
Actions #8

Updated by Jason Ish 4 months ago

  • Severity changed from MODERATE to HIGH
Actions #10

Updated by Jason Ish 4 months ago

  • Status changed from In Review to Resolved

Has been merged to master.

Actions #11

Updated by Jason Ish 4 months ago

  • Status changed from Resolved to Closed
Actions #12

Updated by Juliana Fajardini Reichow 1 day ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF