Re: snort2: curious code in rfc5987_attr_char()

[Dave Killion via Snort-devel <snort-devel () lists snort org>]

Good catch Bob - the OR's combined with the negates means it always returns
true, thus nullifying the check in the first place.



On Thu, Dec 19, 2019 at 3:17 PM Bob Cook via Snort-devel <
snort-devel () lists snort org> wrote:

> Hello,
>
> I've been reviewing a little bit of the snort code and this got flagged by
> a static analyzer:
>
> src\preprocessors\snort_httpinspect.c:3891 (snort-2.9.15)
>
> static inline bool rfc5987_attr_char(u_char c)
> {
>     return rfc_2616_token(c) && ((c != '*') || (c != '\'') || (c != '%'));
> }
>
> The logical OR operators are likely supposed to be logical AND operators,
> which would make way more sense given the definition of RFC 5987.
>
> Anyone else noticed this before? The code isn't new, seems like it's been
> around for a while and still exists in 2.9.15.
>
> The side effect of this behavior would appear to be pretty minor, as this
> function is only used in parsing the Content-Disposition header, but
> figured it's still worth pointing out / asking about. There may be some
> history that I'm not aware of.
>
> Thanks,
> Bob Cook
> Sophos
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!


-- 
Dave Killion

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!