Project

General

Profile

Actions
Copy link

Bug #8635

closed
DB DB

NULL dereference on HashListTableLookup result in DetectEngineSignatureIsDuplicate

Bug #8635: NULL dereference on HashListTableLookup result in DetectEngineSignatureIsDuplicate

Added by Denis Balashov 9 days ago. Updated about 16 hours ago.

Status:
Closed
Priority:
Normal
Assignee:
Denis Balashov
Target version:
9.0.0-beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

In DetectEngineSignatureIsDuplicate() (detect-parse.c), HashListTableLookup()
is called in four places and the result is dereferenced unconditionally.

The code relies on an invariant — that every Signature in sig_list has a
corresponding dup_sig_hash_table entry — but the invariant is neither
asserted nor guarded. One location has a comment "sw_old == NULL case is
impossible", which acknowledges the assumption but does not enforce it.

If the invariant is ever violated due to a bug in adjacent code, the process
will crash with a NULL dereference.

Flagged by Svace static analyzer at detect-parse.c:3250,3253.

Proposed fix: add DEBUG_VALIDATE_BUG_ON() at each site to catch violations
in debug builds, and NULL guards to prevent a crash in production builds.

pull request
https://github.com/OISF/suricata/pull/15557

DB Updated by Denis Balashov 9 days ago Actions
Copy link
 #1

  • Description updated (diff)

PA Updated by Philippe Antoine 9 days ago Actions
Copy link
 #2

  • Status changed from New to In Review
  • Assignee set to Denis Balashov

PA Updated by Philippe Antoine about 16 hours ago Actions
Copy link
 #3

  • Status changed from In Review to Closed
  • Target version changed from TBD to 9.0.0-beta1
Actions
Copy link

Also available in: PDF Atom