Actions
Security #7526
closeddetect: infinite loop in DetectEngineContentInspectionInternal with negated pcre
Git IDs:
Severity:
HIGH
Disclosure Date:
04/28/2025
Description
Found by oss-fuzz
https://issues.oss-fuzz.com/u/1/issues/392180063
Reproducer rule is alert ip any any -> any any (pcre:!/weak"/.*bC/"; byte_extract:1,4,rpkt_len,relative; byte_jump:rpkt_len,0,relative; sid:1;
Files
Updated by Philippe Antoine 5 months ago
diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c
index dbc18c2980..8bf548c81f 100644
--- a/src/detect-engine-content-inspection.c
+++ b/src/detect-engine-content-inspection.c
@@ -478,6 +478,9 @@ static int DetectEngineContentInspectionInternal(DetectEngineThreadCtx *det_ctx,
SCReturnInt(-1);
}
+ if (prev_offset == 0) {
+ SCReturnInt(-1);
+ }
det_ctx->buffer_offset = prev_buffer_offset;
det_ctx->pcre_match_start_offset = prev_offset;
} while (1);
Fix without understanding the sig
Updated by Philippe Antoine 5 months ago
- Status changed from New to In Review
- Assignee changed from OISF Dev to Philippe Antoine
Gitlab
Updated by Philippe Antoine 5 months ago
jq '.. | objects | select(.pcre and .pcre.relative_next and .pcre.negated)' rules.json on engine-analysis output tells if a rule is vulnerable
Updated by Philippe Antoine 5 months ago
- Subject changed from detect: infinite loop in DetectEngineContentInspectionInternal to detect: infinite loop in DetectEngineContentInspectionInternal with negated pcre
Updated by Juliana Fajardini Reichow 4 months ago
- CVE set to 2025-29918
Security Advisory: https://github.com/OISF/suricata/security/advisories/GHSA-924c-vvm5-9mqx
Actions