Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort2: curious code in rfc5987_attr_char()

From: Bob Cook via Snort-devel <snort-devel () lists snort org>
Date: Tue, 17 Dec 2019 18:27:05 +0000
Hello,

I've been reviewing a little bit of the snort code and this got flagged by a static analyzer:

src\preprocessors\snort_httpinspect.c:3891 (snort-2.9.15)

static inline bool rfc5987_attr_char(u_char c)
{
    return rfc_2616_token(c) && ((c != '*') || (c != '\'') || (c != '%'));
}

The logical OR operators are likely supposed to be logical AND operators, which would make way more sense given the 
definition of RFC 5987.

Anyone else noticed this before? The code isn't new, seems like it's been around for a while and still exists in 2.9.15.

The side effect of this behavior would appear to be pretty minor, as this function is only used in parsing the 
Content-Disposition header, but figured it's still worth pointing out / asking about. There may be some history that 
I'm not aware of.

Thanks,
Bob Cook
Sophos

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: