detect/alert: fix same sid alert w same packet bug

with the implementation of configurable packet-alert-max, a bug was found in the way we added alerts to the packet queue. But the new logic exposed a possible bug case when the same signature generated more than one alert for the same packet (from different transactions). This would lead to Suri call memmove with size 0.
OISF · Feb 14, 2022 · 7a420a9 · 7a420a9
1 parent 1827351
commit 7a420a9
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c
@@ -189,8 +189,10 @@ int PacketAlertAppend(DetectEngineThreadCtx *det_ctx, const Signature *s,
     SCLogDebug("sid %"PRIu32"", s->id);
 
     /* It should be usually the last, so check it before iterating */
-    if (p->alerts.cnt == 0 || p->alerts.alerts[p->alerts.cnt - 1].num < s->num) {
+    /* Same signatures can generate more than one alert, if it's a diff tx */
+    if (p->alerts.cnt == 0 || p->alerts.alerts[p->alerts.cnt - 1].num <= s->num) {
         /* We just add it */
+
         p->alerts.alerts[p->alerts.cnt].num = s->num;
         p->alerts.alerts[p->alerts.cnt].action = s->action;
         p->alerts.alerts[p->alerts.cnt].flags = flags;