Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

transform/base64: check for 0-sized buffer #11869

Closed
wants to merge 1 commit into from
Closed

transform/base64: check for 0-sized buffer #11869

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions src/detect-transform-base64.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,9 @@ static void TransformFromBase64Decode(InspectionBuffer *buffer, void *options)
}
decode_length = nbytes;
}
if (decode_length == 0) {
return;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this would leave the original buffer as-is, right? Is that the desired behavior, or should the 0 decoded bytes be the buffer so bsize:0 would match?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

decoding behavior below is also pass-through in case of error, so perhaps it makes sense this way

@jlucovsky any thoughts on how it should behave?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This transform only updates the buffer when bytes are successfully decoded.

That fact might be important for some rules (no buffer if the input buffer isn't b64-encoded) and bsize: 0 would be one way to tell.

Suggestion: we always update the buffer with the number of decoded bytes -- either 0 or the actual value.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so, should we create another ticket for it ?
I guess other transforms should be updated to like pcrexform
Or we should even return a NULL buffer when the transform "fails"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://redmine.openinfosecfoundation.org/issues/7313

}

uint32_t decoded_size = Base64DecodeBufferSize(decode_length);
uint8_t decoded[decoded_size];
Expand Down
Loading