Bug #8560
opendetect: NULL dereference in rate filter callback registration
Description
Subject:
detect: NULL dereference in rate filter callback registration
Description:
SCDetectEngineRegisterRateFilterCallback() is documented as a public extension API for registering a rate filter callback:
https://docs.suricata.io/en/latest/devguide/extending/detect/index.html
It is also used by the bundled library examples:
- examples/lib/custom/main.c
- examples/lib/live/main.c
The function currently calls DetectEngineGetCurrent() and immediately dereferences the returned DetectEngineCtx pointer:
DetectEngineCtx *de_ctx = DetectEngineGetCurrent();
de_ctx->RateFilterCallback = fn;DetectEngineGetCurrent() can return NULL when the master detect-engine list does not contain a normal, delayed-detect stub, or multi-tenant stub engine. Other call sites in the codebase usually guard this return value before dereferencing it.
For this public API, an external caller cannot recover from the missing internal detect-engine context before the dereference. If the API is called while no suitable current detect engine is available, Suricata can crash with a NULL pointer dereference.
Proposed fix:
Check the return value from DetectEngineGetCurrent() in SCDetectEngineRegisterRateFilterCallback(), log an error, and return early when no current detect engine is available.
Patch branch:
https://github.com/kenifor/suricata/tree/fix-rate-filter-callback-null-deref
Pull request:
TBD
PA Updated by Philippe Antoine about 9 hours ago
- Assignee set to Jason Ish
Jason, what do you think of this ticket ? Real issue ?
JI Updated by Jason Ish about 9 hours ago
- Status changed from New to In Review
- Assignee changed from Jason Ish to Denis Balashov
A PR for review has been submitted: https://github.com/OISF/suricata/pull/15380
JI Updated by Jason Ish about 9 hours ago
Philippe Antoine wrote in #note-1:
Jason, what do you think of this ticket ? Real issue ?
I'm curious if this is actually reachable in a real-world scenario.