[Oisf-devel] SigParseTest05 test and DetectPortParse()
Yao-Min Chen
Yaomin.Chen at Sun.COM
Tue Jan 26 09:06:14 UTC 2010
Just tracing through the unit test as it was giving errors [ERRCODE:
SC_INVALID_ARGUMENT(12)] - PortParse error "1024:65536"
sig = SigInit(de_ctx, "alert tcp 1.2.3.4 1024:65536 -> !1.2.3.4 any
(msg:\"SigParseTest05\"; sid:1;)");
Given the port range error (65536 is greater than the max port number
65535), I am curious why SigInit still returned non-null and the unit
test passed. The return codes of DetectPortParse() and
DetectPortParseDo() were not checked. I wonder whether the behavior
should be 1) checking the return code, and 2) halting further parsing of
the signature.
Yaomin
More information about the Oisf-devel
mailing list