From 316cc528f784c86339d05907a4d6084cbe4d44e6 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Sun, 24 Mar 2024 21:12:15 +0100 Subject: [PATCH] detect/parse: set limits for pcre2 Ticket: 6889 To avoid regexp dos with too much backtracking. This is already done on pcre keyword, and pcrexform transform. We use the same default limits for rules parsing. --- src/detect-parse.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/detect-parse.c b/src/detect-parse.c index de898f5569..0289439200 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -2677,7 +2677,7 @@ int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, *match = pcre2_match_data_create_from_pattern(parse_regex->regex, NULL); if (*match) return pcre2_match(parse_regex->regex, (PCRE2_SPTR8)str, strlen(str), options, start_offset, - *match, NULL); + *match, parse_regex->context); return -1; } @@ -2733,6 +2733,15 @@ bool DetectSetupParseRegexesOpts(const char *parse_str, DetectParseRegex *detect parse_str, en, errbuffer); return false; } + detect_parse->context = pcre2_match_context_create(NULL); + if (detect_parse->context == NULL) { + SCLogError("pcre2 could not create match context"); + pcre2_code_free(detect_parse->regex); + detect_parse->regex = NULL; + return false; + } + pcre2_set_match_limit(detect_parse->context, SC_MATCH_LIMIT_DEFAULT); + pcre2_set_recursion_limit(detect_parse->context, SC_MATCH_LIMIT_RECURSION_DEFAULT); DetectParseRegexAddToFreeList(detect_parse); return true; -- 2.47.3