Project

General

Profile

Actions
Copy link

Bug #3937

closed

Integer overflow in DetectContentPropagateLimits leading to unintended signature behavior

Added by Jeff Lucovsky about 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jeff Lucovsky
Target version:
5.0.4
Affected Versions:
5.0.3
Effort:
Difficulty:
Label:

Description

Found by oss-fuzz :
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24105

Reproducer is
alert tcp any any -> any any (msg:"JllWorkAndNoPlay"; content:"threshoBoy"; content:"æ†≤<MrkBoyy"; distance:2147483647“id:0;)

distance:2147483647 is 0x7FFFFFFF aka INT32_MAX

This distance is used to compute a new offset but offset is uint16_t

Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #3840: Integer overflow in DetectContentPropagateLimits leading to unintended signature behaviorClosedPhilippe AntoineActions
Actions
Copy link

Also available in: Atom PDF