detect: set event if max inspect buffers exceeded

If a parser exceeds 1024 buffers we stop processing them and
set a detect event instead. This is to avoid parser bugs as well as
crafted bad traffic leading to resources starvation due to excessive
loops.

diff --git a/src/detect-engine.c b/src/detect-engine.c
index 00f3242ce3326a720ed31ceff3d285ea5454f5fc..032731ef3680039463f0d38ed6ae77da4013418a 100644 (file)
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@@ -121,6 +121,10 @@ SCEnumCharMap det_ctx_event_table[] = {
     { "LZMA_DATA_ERROR", FILE_DECODER_EVENT_LZMA_DATA_ERROR },
     { "LZMA_BUF_ERROR", FILE_DECODER_EVENT_LZMA_BUF_ERROR },
     { "LZMA_UNKNOWN_ERROR", FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR },
+    {
+            "TOO_MANY_BUFFERS",
+            DETECT_EVENT_TOO_MANY_BUFFERS,
+    },
     { NULL, -1 },
 };
 
@@ -1027,6 +1031,11 @@ static InspectionBufferMultipleForList *InspectionBufferGetMulti(
 InspectionBuffer *InspectionBufferMultipleForListGet(
         DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
 {
+    if (unlikely(local_id >= 1024)) {
+        DetectEngineSetEvent(det_ctx, DETECT_EVENT_TOO_MANY_BUFFERS);
+        return NULL;
+    }
+
     InspectionBufferMultipleForList *fb = InspectionBufferGetMulti(det_ctx, list_id);
 
     if (local_id >= fb->size) {

diff --git a/src/detect.h b/src/detect.h
index 9036243759605305b12a18fe1e0ba89a39706424..5b5fbcfe567afbe484cb713c6c7c4de6cc3d6d77 100644 (file)
--- a/src/detect.h
+++ b/src/detect.h
@@ -1225,6 +1225,8 @@ enum {
     FILE_DECODER_EVENT_LZMA_DATA_ERROR,
     FILE_DECODER_EVENT_LZMA_BUF_ERROR,
     FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR,
+
+    DETECT_EVENT_TOO_MANY_BUFFERS,
 };
 
 #define SIG_GROUP_HEAD_HAVERAWSTREAM    BIT_U32(0)