Project

General

Profile

Actions
Copy link

Bug #7549

open

detect: using different sticky buffers for byte_extract and byte_jump leads to undefined value before doing the jump

Added by Philippe Antoine 3 months ago. Updated 24 days ago.

Status:
In Progress
Priority:
High
Assignee:
Jeff Lucovsky
Target version:
8.0.0-rc1
Affected Versions:
Effort:
Difficulty:
Label:

Description

As found by oss-fuzz
https://issues.oss-fuzz.com/u/1/issues/394126185

Reproducer is alert ip any any -> any any (msg:"byte_jump varname test sig"; byte_extract:1,4,rpkt_len,relative; http.connection;byte_jump:rpkt_len,0,relative; isdataat:1,relative; classtype:bad-unknown; sid:1;) with suricata-verify/tests/http-connection-toclient/input.pcap

@Jeff Lucovsky I let you complete as you know more about byte_* stuff

Related issues 1 (1 open0 closed)

Related to Suricata - Bug #1412: byte_test checks before byte_extract happens in some casesNewOISF DevActions
Actions
Copy link
 #1

Updated by Philippe Antoine 3 months ago

Solution may be to have DetectByteRetrieveSMVar check the buffer id

Actions
Copy link
 #2

Updated by Victor Julien 2 months ago

  • Priority changed from Normal to High
Actions
Copy link
 #3

Updated by Philippe Antoine about 2 months ago

  • Related to Bug #1412: byte_test checks before byte_extract happens in some cases added
Actions
Copy link
 #4

Updated by Victor Julien 25 days ago

  • Target version changed from 8.0.0-beta1 to 8.0.0-rc1
Actions
Copy link
 #5

Updated by Jeff Lucovsky 25 days ago

  • Status changed from New to In Progress
Actions
Copy link

Also available in: Atom PDF