Merge pull request #2741 in SNORT/snort3 from ~BBANTWAL/snort3:binder_aliases to...

Squashed commit of the following:

commit 9ca8c58d0bf04b18e4441bed7e9b61c42c984688
Author: Bhagya Tholpady <bbantwal@cisco.com>
Date:   Wed Feb 10 14:19:28 2021 -0500

    managers: enforce strict parsing for binder aliases

    1. don't load aliased table when alias type is not known
    2. don't load aliased table when alias type is not bindable
    3. error and don't load aliased table when alias name is not empty
    and alias type is a singleton (global usage)
    4. error and don't load aliased table when alias name is a known module

diff --git a/src/main/finalize.lua b/src/main/finalize.lua
index 83d2df7a8a8f959e6abdb6bdb82a0c46d67406a2..5cef4228cc36200fd176fe3df5c770c1cd796c0b 100644 (file)
--- a/src/main/finalize.lua
+++ b/src/main/finalize.lua
@@ -30,6 +30,7 @@ bool set_bool(const char*, bool);
 bool set_number(const char*, double);
 bool set_string(const char*, const char*);
 bool set_alias(const char*, const char*);
+void clear_alias();
 ]]
 
 function snort_traverse(tab, fqn)
@@ -81,12 +82,15 @@ function load_aliases(env)
     for i,v in ipairs(env.binder) do
         if ( v.use and type(v.use) == "table" ) then
             if ( v.use.name and v.use.type ) then
-                ffi.C.set_alias(v.use.name, v.use.type)
-                local tab = env[v.use.name]
+                if ( ffi.C.set_alias(v.use.name, v.use.type) ) then
+                    local tab = env[v.use.name]
 
-                if ( tab ) then
-                    snort_whitelist_append(v.use.name)
-                    snort_set(nil, v.use.name, env[v.use.name])
+                    if ( tab ) then
+                        snort_whitelist_append(v.use.name)
+                        snort_set(nil, v.use.name, env[v.use.name])
+                    end
+
+                    ffi.C.clear_alias()
                 end
             end
         end

diff --git a/src/managers/module_manager.cc b/src/managers/module_manager.cc
index 76a41ed16c31695070426447e501c8e0f0b8f91f..fe9542e17a7bcd7224e980616db444f3092a0809 100644 (file)
--- a/src/managers/module_manager.cc
+++ b/src/managers/module_manager.cc
@@ -78,8 +78,8 @@ set<uint32_t> ModuleManager::gids;
 mutex ModuleManager::stats_mutex;
 
 static string s_current;
-static string s_name;
-static string s_type;
+static string s_aliased_name;
+static string s_aliased_type;
 
 // for callbacks from Lua
 static SnortConfig* s_config = nullptr;
@@ -93,7 +93,9 @@ extern "C"
     bool set_bool(const char* fqn, bool val);
     bool set_number(const char* fqn, double val);
     bool set_string(const char* fqn, const char* val);
+
     bool set_alias(const char* from, const char* to);
+    void clear_alias();
 
     const char* push_include_path(const char* file);
     void pop_include_path();
@@ -171,7 +173,7 @@ static std::string get_sub_table(const std::string& fqn)
 
 static void set_type(string& fqn)
 {
-    if ( s_type.empty() )
+    if ( s_aliased_type.empty() )
         return;
 
     size_t pos = fqn.find_first_of('.');
@@ -179,7 +181,7 @@ static void set_type(string& fqn)
     if ( pos == fqn.npos )
         pos = fqn.size();
 
-    fqn.replace(0, pos, s_type);
+    fqn.replace(0, pos, s_aliased_type);
 }
 
 static void set_top(string& fqn)
@@ -625,14 +627,39 @@ static bool interested(Module* m)
     return true;
 }
 
+
 //-------------------------------------------------------------------------
 // ffi methods
 //-------------------------------------------------------------------------
 
+SO_PUBLIC void clear_alias()
+{
+    s_aliased_name.clear();
+    s_aliased_type.clear();
+}
+
 SO_PUBLIC bool set_alias(const char* from, const char* to)
 {
-    s_name = from;
-    s_type = to;
+    const Module* m = ModuleManager::get_module(to);
+
+    if ( !m or !m->is_bindable() )
+        return false;
+
+    if ( (m->get_usage() == Module::GLOBAL) and from )
+    {
+        ParseError("global module type '%s' can't be aliased", to);
+        return false;
+    }
+
+    if (  ModuleManager::get_module(from) )
+    {
+        ParseError("alias name can't be an existing module '%s'", from);
+        return false;
+    }
+
+    s_aliased_name = from;
+    s_aliased_type = to;
+
     return true;
 }
 
@@ -671,7 +698,9 @@ SO_PUBLIC bool open_table(const char* s, int idx)
     // FIXIT-M only basic modules, inspectors and ips actions can be reloaded at present
     if ( ( Snort::is_reloading() ) and h->api
             and h->api->type != PT_INSPECTOR and h->api->type != PT_IPS_ACTION )
+    {
         return false;
+    }
 
     Module* m = h->mod;
     const Parameter* p = nullptr;
@@ -697,8 +726,8 @@ SO_PUBLIC bool open_table(const char* s, int idx)
     }
 
     string unique_key = key;
-    if ( !s_name.empty() )
-        unique_key = s_name;
+    if ( !s_aliased_name.empty() )
+        unique_key = s_aliased_name;
 
     if ( s_current != unique_key )
     {
@@ -749,19 +778,13 @@ SO_PUBLIC void close_table(const char* s, int idx)
 
         else if (h->api && top)
         {
-            if ( !s_name.empty() )
-                PluginManager::instantiate(h->api, h->mod, s_config, s_name.c_str());
+            if ( !s_aliased_name.empty() )
+                PluginManager::instantiate(h->api, h->mod, s_config, s_aliased_name.c_str());
             else
                 PluginManager::instantiate(h->api, h->mod, s_config);
         }
     }
 
-    if ( top )
-    {
-        s_name.clear();
-        s_type.clear();
-    }
-
     Shell::config_close_table();
 }