Project

General

Profile

Actions
Copy link

Bug #8560

open
DB DB

detect: NULL dereference in rate filter callback registration

Bug #8560: detect: NULL dereference in rate filter callback registration

Added by Denis Balashov about 14 hours ago. Updated about 9 hours ago.

Status:
In Review
Priority:
Normal
Assignee:
Denis Balashov
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

Subject:
detect: NULL dereference in rate filter callback registration

Description:
SCDetectEngineRegisterRateFilterCallback() is documented as a public extension API for registering a rate filter callback:

https://docs.suricata.io/en/latest/devguide/extending/detect/index.html

It is also used by the bundled library examples:
- examples/lib/custom/main.c
- examples/lib/live/main.c

The function currently calls DetectEngineGetCurrent() and immediately dereferences the returned DetectEngineCtx pointer:

DetectEngineCtx *de_ctx = DetectEngineGetCurrent();
    de_ctx->RateFilterCallback = fn;

DetectEngineGetCurrent() can return NULL when the master detect-engine list does not contain a normal, delayed-detect stub, or multi-tenant stub engine. Other call sites in the codebase usually guard this return value before dereferencing it.

For this public API, an external caller cannot recover from the missing internal detect-engine context before the dereference. If the API is called while no suitable current detect engine is available, Suricata can crash with a NULL pointer dereference.

Proposed fix:
Check the return value from DetectEngineGetCurrent() in SCDetectEngineRegisterRateFilterCallback(), log an error, and return early when no current detect engine is available.

Patch branch:
https://github.com/kenifor/suricata/tree/fix-rate-filter-callback-null-deref

Pull request:
TBD

Actions
Copy link

Also available in: PDF Atom