Bug #7769
open
DetectFileHashParse: remove redundant de_ctx->rule_file != NULL check
Added by Boris Tonofa 23 days ago.
Updated 8 days ago.
Affected Versions:
6.0.13,
7.0.0,
6.0.14,
7.0.1,
6.0.15,
7.0.2,
6.0.16,
7.0.3,
6.0.17,
7.0.4,
6.0.18,
6.0.19,
7.0.5,
6.0.20,
7.0.6,
7.0.7,
7.0.8,
7.0.9,
7.0.10,
8.0.0-beta1,
8.0.0-rc1,
7.0.11,
8.0.0,
7.0.12,
8.0.1,
TBD,
git master
Description
When Suricata parses rules it invokes DetectFileHashParse() to turn a filemd5/sha1/sha256 keyword into an in-memory hash table. If the rules are supplied from memory, the parser context field de_ctx->rule_file is NULL; nevertheless the code still executes SCStrdup(de_ctx->rule_file). Because strdup(NULL) dereferences a null pointer inside strlen(), Suricata crashes with SIGSEGV during the rule-loading phase.
- Subject changed from DetectFileHashParse crashes when de_ctx->rule_file is NULL (strdup → SIGSEGV) to DetectFileHashParse: remove redundant de_ctx->rule_file != NULL check
In DetectFileHashParse the static analyzer reports a warning for
rule_filename = SCStrdup(de_ctx->rule_file);
because a few lines later the code still performs
if (de_ctx->rule_file != NULL) {
…
}
de_ctx->rule_file is already guaranteed to be non-NULL at this point, so the run-time check is redundant. Remove the if (de_ctx->rule_file != NULL) block to eliminate the false positive and simplify the codebase.
- Status changed from New to In Review
Also available in: Atom
PDF