From e611adf3dc5b531a9d0ef9b861b4dbe0e150eae6 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Thu, 13 May 2021 08:06:11 +0200 Subject: [PATCH] detect: set event if max inspect buffers exceeded If a parser exceeds 1024 buffers we stop processing them and set a detect event instead. This is to avoid parser bugs as well as crafted bad traffic leading to resources starvation due to excessive loops. --- src/detect-engine.c | 9 +++++++++ src/detect.h | 2 ++ 2 files changed, 11 insertions(+) diff --git a/src/detect-engine.c b/src/detect-engine.c index 00f3242ce3..032731ef36 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -121,6 +121,10 @@ SCEnumCharMap det_ctx_event_table[] = { { "LZMA_DATA_ERROR", FILE_DECODER_EVENT_LZMA_DATA_ERROR }, { "LZMA_BUF_ERROR", FILE_DECODER_EVENT_LZMA_BUF_ERROR }, { "LZMA_UNKNOWN_ERROR", FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR }, + { + "TOO_MANY_BUFFERS", + DETECT_EVENT_TOO_MANY_BUFFERS, + }, { NULL, -1 }, }; @@ -1027,6 +1031,11 @@ static InspectionBufferMultipleForList *InspectionBufferGetMulti( InspectionBuffer *InspectionBufferMultipleForListGet( DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id) { + if (unlikely(local_id >= 1024)) { + DetectEngineSetEvent(det_ctx, DETECT_EVENT_TOO_MANY_BUFFERS); + return NULL; + } + InspectionBufferMultipleForList *fb = InspectionBufferGetMulti(det_ctx, list_id); if (local_id >= fb->size) { diff --git a/src/detect.h b/src/detect.h index 9036243759..5b5fbcfe56 100644 --- a/src/detect.h +++ b/src/detect.h @@ -1225,6 +1225,8 @@ enum { FILE_DECODER_EVENT_LZMA_DATA_ERROR, FILE_DECODER_EVENT_LZMA_BUF_ERROR, FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR, + + DETECT_EVENT_TOO_MANY_BUFFERS, }; #define SIG_GROUP_HEAD_HAVERAWSTREAM BIT_U32(0) -- 2.47.3