detect: errors on 65k filestore signatures

author Philippe Antoine <contact@catenacyber.fr>

Mon, 9 Oct 2023 12:49:54 +0000 (14:49 +0200)

committer Victor Julien <victor@inliniac.net>

Sat, 10 Feb 2024 16:43:59 +0000 (17:43 +0100)
author Philippe Antoine <contact@catenacyber.fr>
Mon, 9 Oct 2023 12:49:54 +0000 (14:49 +0200)
committer Victor Julien <victor@inliniac.net>
Sat, 10 Feb 2024 16:43:59 +0000 (17:43 +0100)
diff --git a/src/detect-engine-siggroup.c b/src/detect-engine-siggroup.c

index 67af1c115cf4411100025e479590f2514d264877..c75a5d0ed856838d2904c4281dd71ee5f0f43d99 100644 (file)
--- a/src/detect-engine-siggroup.c
+++ b/src/detect-engine-siggroup.c
@@ -48,6 +48,7 @@
  
  #include "util-error.h"
  #include "util-debug.h"
+#include "util-validate.h"
  #include "util-cidr.h"
  #include "util-unittest.h"
  #include "util-unittest-helper.h"
@@ -637,6 +638,8 @@ void SigGroupHeadSetFilestoreCount(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
              continue;
  
          if (SignatureIsFilestoring(s)) {
+            // should be insured by caller that we do not overflow
+            DEBUG_VALIDATE_BUG_ON(sgh->filestore_cnt == UINT16_MAX);
              sgh->filestore_cnt++;
          }
      }
diff --git a/src/detect-filestore.c b/src/detect-filestore.c

index c53a93d78dd27317b278688f2a3ee5e653feef98..03bdbba98c7f46700f01e938182968cf8b747e64 100644 (file)
--- a/src/detect-filestore.c
+++ b/src/detect-filestore.c
@@ -333,6 +333,11 @@ static int DetectFilestoreSetup (DetectEngineCtx *de_ctx, Signature *s, const ch
      static bool warn_not_configured = false;
      static uint32_t de_version = 0;
  
+    if (de_ctx->filestore_cnt == UINT16_MAX) {
+        SCLogError("Cannot have more than 65535 filestore signatures");
+        return -1;
+    }
+
      /* Check on first-time loads (includes following a reload) */
      if (!warn_not_configured || (de_ctx->version != de_version)) {
          if (de_version != de_ctx->version) {
@@ -476,6 +481,7 @@ static int DetectFilestoreSetup (DetectEngineCtx *de_ctx, Signature *s, const ch
      SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_POSTMATCH);
  
      s->flags |= SIG_FLAG_FILESTORE;
+    de_ctx->filestore_cnt++;
  
      if (match)
          pcre2_match_data_free(match);
diff --git a/src/detect.h b/src/detect.h

index 01865454b23c35c10337d4d13ea1fc1f70f1227c..587a29c39d02175e056f495f6f989f0549de22cd 100644 (file)
--- a/src/detect.h
+++ b/src/detect.h
@@ -1039,6 +1039,9 @@ typedef struct DetectEngineCtx_ {
  
      /* Track rule requirements for reporting after loading rules. */
      SCDetectRequiresStatus *requirements;
+
+    /* number of signatures using filestore, limited as u16 */
+    uint16_t filestore_cnt;
  } DetectEngineCtx;
  
  /* Engine groups profiles (low, medium, high, custom) */
author	Philippe Antoine <contact@catenacyber.fr>
	Mon, 9 Oct 2023 12:49:54 +0000 (14:49 +0200)
committer	Victor Julien <victor@inliniac.net>
	Sat, 10 Feb 2024 16:43:59 +0000 (17:43 +0100)
src/detect-engine-siggroup.c		patch \| blob \| blame \| history
src/detect-filestore.c		patch \| blob \| blame \| history
src/detect.h		patch \| blob \| blame \| history