CVE-2025-29918

commit f6c9490e1f7b0b375c286d5313ebf3bc81a95eb6
Author: Philippe Antoine <pantoine@oisf.net>
Date:   Tue Jan 28 15:02:45 2025 +0100

    detect/pcre: avoid infinite loop after negated pcre

    Ticket: 7526

    The usage of negated pcre, followed by other relative payload
    content keywords could lead to an infinite loop.

    This is because regular (not negated) pcre can test multiple
    occurences, but negated pcre should be tried only once.

    (cherry picked from commit b14c67cbdf25fa6c7ffe0d04ddf3ebe67b12b50b)

Gbp-Pq: Name CVE-2025-29918.patch

diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c
index 309efb37a4dfb360b37c2313f792f363ca205235..b23c404d0473a654b3b1443317d1e2678a6bdb33 100644 (file)
--- a/src/detect-engine-content-inspection.c
+++ b/src/detect-engine-content-inspection.c
@@ -430,7 +430,6 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
             if (r == 0) {
                 goto no_match;
             }
-
             if (!(pe->flags & DETECT_PCRE_RELATIVE_NEXT)) {
                 SCLogDebug("no relative match coming up, so this is a match");
                 goto match;
@@ -453,6 +452,11 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
             if (det_ctx->discontinue_matching)
                 goto no_match;
 
+            if (prev_offset == 0) {
+                // This happens for negated PCRE
+                // We do not search for another occurrence of this pcre
+                SCReturnInt(0);
+            }
             det_ctx->buffer_offset = prev_buffer_offset;
             det_ctx->pcre_match_start_offset = prev_offset;
         } while (1);