[Snort-devel] [Patch] : detect missing semicolon after content

Erik de Castro Lopo erikd+snort at ...2292...
Mon May 9 20:42:32 EDT 2005


RCS file: /cvsroot/snort/src/detection-plugins/sp_pattern_match.c,v
retrieving revision 1.65
Hi all,

Here is a patch for a bug I mentioned on the list late last week.

The current snort rule parser currently accepts this (note the
missing semicolon):

    content:"foo" nocase;

and silently drops the nocase specifier. This will case the string
matcher to do case sensitive content matching when the rule author
intended for it to do case insensitive matching.

The patch against current CVS below turns the missing semicolon 
into a fatal error.

Cheers,
Erik

---------------------------------------------------------------

diff -u -r1.65 sp_pattern_match.c
--- src/detection-plugins/sp_pattern_match.c    28 Jan 2005 21:25:15 -0000      1.65
+++ src/detection-plugins/sp_pattern_match.c    10 May 2005 03:28:52 -0000
@@ -1262,6 +1262,7 @@
     char *idx;
     char *dummy_idx;
     char *dummy_end;
+    char *tmp;
     char hex_buf[3];
     u_int dummy_size = 0;
     int size;
@@ -1316,6 +1317,18 @@
     /* Move the null termination up a bit more */
     *end_ptr = '\0';
 
+    /* Is there anything other than whitespace after the trailing double quote? */
+    tmp = end_ptr + 1;
+    while (*tmp != '\0' && isspace (*tmp))
+        tmp++;
+
+    if (strlen (tmp) > 0)
+    {
+        FatalError("%s(%d) => Bad data (possibly due to missing semicolon) "
+                    "after trailing double quote.",
+                    file_name, file_line, end_ptr + 1);
+    }
+
     /* how big is it?? */
     size = end_ptr - start_ptr;
 


-- 
-------------------------------------------------------
[N] Erik de Castro Lopo, Senior Computer Engineer
[E] erik.de.castro.lopo at ...2292...
[W] http://www.sensorynetworks.com
[T] +61 2 83022726
[F] +61 2 94750316
[A] L6/140 William St, East Sydney NSW 2011, Australia
-------------------------------------------------------
A good debugger is no substitute for a good test suite.




More information about the Snort-devel mailing list