detect/transforms: dotprefix can be chained

Ticket: 8537 Otherwise, it may cause a use-after-free, in case of reallocated buffer and we used the buffer inspect which was freed.
2026-05-28 04:32:12 -04:00 · 2026-05-07 10:00:03 +02:00 · 2026-05-07 10:00:03 +02:00 · 6d437956e2
commit 6d437956e2
parent 2b20a436e7
1 changed files with 10 additions and 8 deletions
--- a/rust/src/detect/transforms/dotprefix.rs
+++ b/rust/src/detect/transforms/dotprefix.rs
@ -18,8 +18,8 @@
 use crate::detect::SIGMATCH_NOOPT;
 use suricata_sys::sys::{
    DetectEngineCtx, DetectEngineThreadCtx, InspectionBuffer, SCDetectHelperTransformRegister,
-    SCDetectSignatureAddTransform, SCTransformTableElmt, Signature, SCInspectionBufferCheckAndExpand,
-    SCInspectionBufferTruncate,
+    SCDetectSignatureAddTransform, SCInspectionBufferCheckAndExpand, SCInspectionBufferInPlace,
+    SCInspectionBufferTruncate, SCTransformTableElmt, Signature,
 };

 use std::os::raw::{c_int, c_void};
@ -49,17 +49,19 @@ unsafe extern "C" fn dot_prefix_transform(
    if input_len == 0 {
        return;
    }
+    let inplace = SCInspectionBufferInPlace(buffer);
+
    let output = SCInspectionBufferCheckAndExpand(buffer, input_len + 1);
    if output.is_null() {
        // allocation failure
        return;
    }
-    // get input after possible realloc
-    let input = (*buffer).inspect;
-    if input.is_null() {
-        // allocation failure
-        return;
-    }
+    let input = if inplace {
+        // may have been reallocated
+        (*buffer).buf
+    } else {
+        (*buffer).inspect
+    };
    let input = build_slice!(input, input_len as usize);
    let output = std::slice::from_raw_parts_mut(output, (input_len + 1) as usize);