From 6d437956e2ed2da75976d7635cbe09a953d3c489 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 7 May 2026 10:00:03 +0200 Subject: [PATCH] detect/transforms: dotprefix can be chained Ticket: 8537 Otherwise, it may cause a use-after-free, in case of reallocated buffer and we used the buffer inspect which was freed. --- rust/src/detect/transforms/dotprefix.rs | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/rust/src/detect/transforms/dotprefix.rs b/rust/src/detect/transforms/dotprefix.rs index 2b52462fba..b6f9738356 100644 --- a/rust/src/detect/transforms/dotprefix.rs +++ b/rust/src/detect/transforms/dotprefix.rs @@ -18,8 +18,8 @@ use crate::detect::SIGMATCH_NOOPT; use suricata_sys::sys::{ DetectEngineCtx, DetectEngineThreadCtx, InspectionBuffer, SCDetectHelperTransformRegister, - SCDetectSignatureAddTransform, SCTransformTableElmt, Signature, SCInspectionBufferCheckAndExpand, - SCInspectionBufferTruncate, + SCDetectSignatureAddTransform, SCInspectionBufferCheckAndExpand, SCInspectionBufferInPlace, + SCInspectionBufferTruncate, SCTransformTableElmt, Signature, }; use std::os::raw::{c_int, c_void}; @@ -49,17 +49,19 @@ unsafe extern "C" fn dot_prefix_transform( if input_len == 0 { return; } + let inplace = SCInspectionBufferInPlace(buffer); + let output = SCInspectionBufferCheckAndExpand(buffer, input_len + 1); if output.is_null() { // allocation failure return; } - // get input after possible realloc - let input = (*buffer).inspect; - if input.is_null() { - // allocation failure - return; - } + let input = if inplace { + // may have been reallocated + (*buffer).buf + } else { + (*buffer).inspect + }; let input = build_slice!(input, input_len as usize); let output = std::slice::from_raw_parts_mut(output, (input_len + 1) as usize);