Literals should be able to start with NULL character

Question

Literals should be able to start with NULL character

jobooth opened this issue 2 years ago · 3 comments

According to documentation on hs_compile_lit, "the special terminating character \0 should be allowed to appear in expression, and not treated as a terminator for a string". Recent addition of strcmp check for empty expressions invalidates this statement, specifically meaning they can no longer start with a '\0'.

This is related to issue #386, though unlike that issue, where an additional NULL terminator can be added to expressions, there is no obvious workaround for this for any expression required to start with a NULL.

Answer 1 · 2023-03-01T14:22:30.000Z

Will consider the fix, thanks for reporting.

Answer 2 · 2023-06-14T08:44:34.000Z

I had the same problem

Answer 3 · 2023-06-23T02:28:01.000Z

Please fix this. As it crashes snort IDS / IPS.

See: https://lists.snort.org/pipermail/snort-users/2023-June/000543.html

Thank you