projects / suricata.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c801403) | patch
[PATCH] output/alert: fix alert index access for verdict
authorJuliana Fajardini <jufajardini@oisf.net>
Sat, 1 Nov 2025 04:38:12 +0000 (21:38 -0700)
committerAndreas Dolp <dev@andreas-dolp.de>
Sun, 22 Feb 2026 12:28:52 +0000 (13:28 +0100)
commit00659298a29ee94c6f795cd2f728ce31465543c2
tree95c3e0afd0928e90299ccb951efd62bfaf00b871tree | snapshot
parentc801403caeede9278f7b420f29c78fa2a4691611commit | diff
[PATCH] output/alert: fix alert index access for verdict

The engine uses p.alerts.cnt as an index to access the packet alert that
has the `pass` action for the verdict.
For IDS/IPS mode, a `pass` will always be the last signature in the
alert queue. However, that position could be either `p.alerts.cnt` or
`p.alerts.cnt-1`, depending on whether the `pass` rule has the `alert`
keyword or not.
This patch fix corner-case scenarios of:
- accessing an index out of boundaries
- off-by-one access
Without changing how the engine increments the alerts.cnt, as this is
used in many places, and would be a more invasive change.
It checks the two different scenarios, plus the case when there is only
a single match as a silent `pass` rule.

Bug #8021
Bug #7630

Origin: upstream, https://github.com/OISF/suricata/commit/5d6c24cc2ce6a390c0956b7ecb2c5efc47e72abc.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8021
Subject: Upstream fix for CVE-2025-64330

Gbp-Pq: Name CVE-2025-64330.patch
src/output-json-alert.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.