detect: non infinite default value for inspection-recursion-limit

So that empty config are protected by this setting as was intended.

Set to unlimited for fuzz testing.

diff --git a/src/detect-engine.c b/src/detect-engine.c
index 146804d332311fa69a018b48eae9a77ba75e6b7e..b1799846c3667197346b36b35e18bee3edc07c8e 100644 (file)
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@@ -2953,6 +2953,7 @@ static int DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx)
     }
 
     intmax_t value = 0;
+    de_ctx->inspection_recursion_limit = DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT;
     if (ConfGetInt("detect.inspection-recursion-limit", &value) == 1)
     {
         if (value >= 0 && value <= INT_MAX) {
@@ -2992,9 +2993,6 @@ static int DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx)
                     de_ctx->inspection_recursion_limit =
                         DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT;
                 }
-            } else {
-                de_ctx->inspection_recursion_limit =
-                    DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT;
             }
         }
     }

diff --git a/src/tests/fuzz/confyaml.c b/src/tests/fuzz/confyaml.c
index f538f32871f7c29546a95667300f8d5ef1bb5d5e..194552859909014c1b0853b8d7176ec9deaa558b 100644 (file)
--- a/src/tests/fuzz/confyaml.c
+++ b/src/tests/fuzz/confyaml.c
@@ -110,4 +110,6 @@ app-layer:\n\
       enabled: yes\n\
     quic:\n\
       enabled: yes\n\
+detect:\n\
+  inspection-recursion-limit: 0\n\
 ";

diff --git a/suricata.yaml.in b/suricata.yaml.in
index dd376fe59913ae4dff9ad4624f5276358aa1b005..d6920396ebf62a4c51d612f4e82434c09f9e9f11 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -1725,15 +1725,15 @@ decoder:
 # The option inspection-recursion-limit is used to limit the recursive calls
 # in the content inspection code.  For certain payload-sig combinations, we
 # might end up taking too much time in the content inspection code.
-# If the argument specified is 0, the engine uses an internally defined
-# default limit.  When a value is not specified, there are no limits on the recursion.
+# If the argument specified is 0, there are no limits on the recursion.
+# When a value is not specified, the default is 3000
 detect:
   profile: medium
   custom-values:
     toclient-groups: 3
     toserver-groups: 25
   sgh-mpm-context: auto
-  inspection-recursion-limit: 3000
+  # inspection-recursion-limit: 3000
   # maximum number of times a tx will get logged for rules without app-layer keywords
   # stream-tx-log-limit: 4
   # Try to guess an app-layer transaction for rules without app-layer keywords,