Bug #8635
Updated by Denis Balashov 9 days ago
In DetectEngineSignatureIsDuplicate() (detect-parse.c), HashListTableLookup() is called in four places and the result is dereferenced unconditionally. The code relies on an invariant — that every Signature in sig_list has a corresponding dup_sig_hash_table entry — but the invariant is neither asserted nor guarded. One location has a comment "sw_old == NULL case is impossible", which acknowledges the assumption but does not enforce it. If the invariant is ever violated due to a bug in adjacent code, the process will crash with a NULL dereference. Flagged by Svace static analyzer at detect-parse.c:3250,3253. Proposed fix: add DEBUG_VALIDATE_BUG_ON() at each site to catch violations in debug builds, and NULL guards to prevent a crash in production builds. pull request https://github.com/OISF/suricata/pull/15557