We have just released Hyperscan 4.4.1 on Github.
This release is a bugfix release. Two issues were discovered that affect streaming-mode use of Hyperscan. These issues are both related to incorrect initialisation of values in the scratch memory region.
The first issue may result in hs_close_stream() referencing data from other previously scanned streams. This issue may only occur when there is a pattern that is end anchored - that is, the pattern uses one of these constructs: "$", "\z", "\Z", "\b", "\B" - and a non-null match callback is provided.
The other issue relates to repeated character classes, where matches may not be reported, reported at an incorrect offset, or matches reported when no match should be found.
These issues do not affect non-streaming mode use of Hyperscan, as such the Snort and Suricata integrations should not be affected.
As a result of these issues, we also have improved our internal testing processes for this class of error.
The changelog for this release is:
- Bugfixes to fix issues where stale data was being referenced in scratch memory. In particular this may have resulted in hs_close_stream() referencing data from other previously scanned streams. This may result in incorrect matches being been reported.