[PATCH 2/2] datasets: allocates on the heap if string base64 is long

Ticket: 8110
(cherry picked from commit d6bc718e303ecbec5999066b8bc88eeeca743658)

Origin: upstream, https://github.com/OISF/suricata/commit/27a2180bceaa3477419c78c54fce364398d011f1.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8110
Subject: Upstream fix for CVE-2026-22262 part 2

Gbp-Pq: Name CVE-2026-22262_2.patch

diff --git a/src/datasets-string.c b/src/datasets-string.c
index 524a60ad9af1910fbff904fe7431bb9f696b904f..53a179a1051038ff79623433b35436c42915da5b 100644 (file)
--- a/src/datasets-string.c
+++ b/src/datasets-string.c
@@ -50,8 +50,8 @@ int StringAsBase64(const void *s, char *out, size_t out_size)
 
     unsigned long len = Base64EncodeBufferSize(str->len);
     if (len + 2 > out_size) {
-        // linefeed and final zero
-        return 0;
+        // linefeed and final zero : signal we need more space
+        return len + 2;
     }
     if (Base64Encode((unsigned char *)str->ptr, str->len, (uint8_t *)out, &len) != SC_BASE64_OK)
         return 0;

diff --git a/src/util-thash.c b/src/util-thash.c
index 548637916b18774af18a6355076a921ec14f9665..c6df02cf371a1c9a409d0e5ba9363dfc777fd252 100644 (file)
--- a/src/util-thash.c
+++ b/src/util-thash.c
@@ -390,7 +390,26 @@ int THashWalk(THashTableContext *ctx, THashFormatFunc FormatterFunc, THashOutput
             char output_string[1024] = "";
             int size = FormatterFunc(h->data, output_string, sizeof(output_string));
             if (size > 0) {
-                if (OutputterFunc(output_ctx, (const uint8_t *)output_string, size) < 0) {
+                if (size > 1024) {
+                    // we did not provide enough space on the stack, let's allocate on the heap
+                    char *out_alloc = SCCalloc(1, size);
+                    if (out_alloc == NULL) {
+                        err = true;
+                        break;
+                    }
+                    size = FormatterFunc(h->data, out_alloc, size);
+                    if (size == 0) {
+                        err = true;
+                        SCFree(out_alloc);
+                        break;
+                    }
+                    if (OutputterFunc(output_ctx, (const uint8_t *)out_alloc, size) < 0) {
+                        err = true;
+                        SCFree(out_alloc);
+                        break;
+                    }
+                    SCFree(out_alloc);
+                } else if (OutputterFunc(output_ctx, (const uint8_t *)output_string, size) < 0) {
                     err = true;
                     break;
                 }