Security #7526
closed
detect: infinite loop in DetectEngineContentInspectionInternal with negated pcre
Added by Philippe Antoine 5 months ago.
Updated 1 day ago.
Disclosure Date:
04/28/2025
Files
- Label deleted (
Needs backport to 7.0)
diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c
index dbc18c2980..8bf548c81f 100644
--- a/src/detect-engine-content-inspection.c
+++ b/src/detect-engine-content-inspection.c
@@ -478,6 +478,9 @@ static int DetectEngineContentInspectionInternal(DetectEngineThreadCtx *det_ctx,
SCReturnInt(-1);
}
+ if (prev_offset == 0) {
+ SCReturnInt(-1);
+ }
det_ctx->buffer_offset = prev_buffer_offset;
det_ctx->pcre_match_start_offset = prev_offset;
} while (1);
Fix without understanding the sig
Here is the pcap to reproduce
I think the root cause is negated pcre not increasing pcre_match_start_offset
- Status changed from New to In Review
- Assignee changed from OISF Dev to Philippe Antoine
jq '.. | objects | select(.pcre and .pcre.relative_next and .pcre.negated)' rules.json on engine-analysis output tells if a rule is vulnerable
- Subject changed from detect: infinite loop in DetectEngineContentInspectionInternal to detect: infinite loop in DetectEngineContentInspectionInternal with negated pcre
- Severity changed from MODERATE to HIGH
- Status changed from In Review to Resolved
Has been merged to master.
- Status changed from Resolved to Closed
- Private changed from Yes to No
Also available in: Atom
PDF