Project

General

Profile

Actions

Bug #7549

open

detect: using different sticky buffers for byte_extract and byte_jump leads to undefined value before doing the jump

Added by Philippe Antoine about 2 months ago. Updated about 1 month ago.

Status:
New
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

As found by oss-fuzz
https://issues.oss-fuzz.com/u/1/issues/394126185

Reproducer is alert ip any any -> any any (msg:"byte_jump varname test sig"; byte_extract:1,4,rpkt_len,relative; http.connection;byte_jump:rpkt_len,0,relative; isdataat:1,relative; classtype:bad-unknown; sid:1;) with suricata-verify/tests/http-connection-toclient/input.pcap

@Jeff Lucovsky I let you complete as you know more about byte_* stuff


Related issues 1 (1 open0 closed)

Related to Suricata - Bug #1412: byte_test checks before byte_extract happens in some casesNewOISF DevActions
Actions #1

Updated by Philippe Antoine about 2 months ago

Solution may be to have DetectByteRetrieveSMVar check the buffer id

Actions #2

Updated by Victor Julien about 1 month ago

  • Priority changed from Normal to High
Actions #3

Updated by Philippe Antoine 24 days ago

  • Related to Bug #1412: byte_test checks before byte_extract happens in some cases added
Actions

Also available in: Atom PDF