]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
projects / thirdparty / suricata.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a567305)
decode: enforce layer limit through tunnel layers
authorVictor Julien <vjulien@oisf.net>
Thu, 20 Oct 2022 13:14:26 +0000 (15:14 +0200)
committerVictor Julien <vjulien@oisf.net>
Sun, 27 Nov 2022 07:29:59 +0000 (08:29 +0100)
Bug: #5686.
Bug: #5688.

src/decode.c patch | blob | blame | history

diff --git a/src/decode.c b/src/decode.c
index db7cefa9ecc175000287a9202b48c635c65deece..ddd83f066b9feb8f2ea3325c970123c08f9670e3 100644 (file)
--- a/src/decode.c
+++ b/src/decode.c
@@ -67,6 +67,7 @@
 #include "output.h"
 #include "output-flow.h"
 #include "flow-storage.h"
+#include "util-validate.h"
 
 uint32_t default_packet_size = 0;
 extern bool stats_decoder_events;
@@ -309,6 +310,11 @@ Packet *PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *pare
 
     SCEnter();
 
+    if (parent->nb_decoded_layers + 1 >= decoder_max_layers) {
+        ENGINE_SET_INVALID_EVENT(parent, GENERIC_TOO_MANY_LAYERS);
+        SCReturnPtr(NULL, "Packet");
+    }
+
     /* get us a packet */
     Packet *p = PacketGetFromQueueOrAlloc();
     if (unlikely(p == NULL)) {
@@ -317,7 +323,10 @@ Packet *PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *pare
 
     /* copy packet and set length, proto */
     PacketCopyData(p, pkt, len);
+    DEBUG_VALIDATE_BUG_ON(parent->recursion_level == 255);
     p->recursion_level = parent->recursion_level + 1;
+    DEBUG_VALIDATE_BUG_ON(parent->nb_decoded_layers >= decoder_max_layers);
+    p->nb_decoded_layers = parent->nb_decoded_layers + 1;
     p->ts.tv_sec = parent->ts.tv_sec;
     p->ts.tv_usec = parent->ts.tv_usec;
     p->datalink = DLT_RAW;
Mirror of https://github.com/OISF/suricata.git