[Snort-devel] Two bugs in rule parser (one patch)

Erik de Castro Lopo erikd+snort at ...2292...
Mon May 9 18:55:07 EDT 2005


On Tue, 3 May 2005 15:47:12 +1000
Erik de Castro Lopo <erikd+snort at ...2292...> wrote:

> The second problem was that the parser accepted illegal escape 
> sequences, in this case:
> 
>      content:"www\.whatever\.com";
> 
> From the documentation, only the colon, semicolon, backslash and
> doublequote characters need to be escaped.

I've looked at the code for this problem and the parser does 
actually convert the invalid escaped characters to the correct
unescaped character.

However I still think this is a bug worth fixing, so here is a clean
7 line patch against CVS.

Cheers,
Erik


RCS file: /cvsroot/snort/src/detection-plugins/sp_pattern_match.c,v
retrieving revision 1.65
diff -u -r1.65 sp_pattern_match.c
--- src/detection-plugins/sp_pattern_match.c    28 Jan 2005 21:25:15 -0000      1.65
+++ src/detection-plugins/sp_pattern_match.c    10 May 2005 01:44:54 -0000
@@ -1389,6 +1389,13 @@
 
                 if(!literal)
                 {
+                   /* Make sure the next char makes this a valid escape sequence. */
+                   if (idx [1] != '\0' && strchr ("\\\":;", idx [1]) == NULL)
+                   {
+                       FatalError("%s(%d) => bad escape sequence starting with \"%s\". ",
+                               file_name, file_line, idx);
+                   }
+
                     DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATCH, "Setting literal\n"););
 
                     literal = 1;


-- 
-------------------------------------------------------
[N] Erik de Castro Lopo, Senior Computer Engineer
[E] erik.de.castro.lopo at ...2292...
[W] http://www.sensorynetworks.com
[T] +61 2 83022726
[F] +61 2 94750316
[A] L6/140 William St, East Sydney NSW 2011, Australia
-------------------------------------------------------
A good debugger is no substitute for a good test suite.




More information about the Snort-devel mailing list