detect: set event if max inspect buffers exceeded

If a parser exceeds 1024 buffers we stop processing them and
set a detect event instead. This is to avoid parser bugs as well as
crafted bad traffic leading to resources starvation due to excessive
loops.

(cherry picked from commit e611adf3dc5b531a9d0ef9b861b4dbe0e150eae6)

diff --git a/src/detect-engine.c b/src/detect-engine.c
index afbe56ca83da29330e0c076233cdfea8f175976b..84f7826f0ee5eb420a905fc792b337c6df309ff1 100644 (file)
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@@ -103,25 +103,29 @@ static uint32_t DetectEngineTentantGetIdFromPcap(const void *ctx, const Packet *
 static DetectEngineAppInspectionEngine *g_app_inspect_engines = NULL;
 static DetectEnginePktInspectionEngine *g_pkt_inspect_engines = NULL;
 
-SCEnumCharMap det_ctx_event_table[ ] = {
+SCEnumCharMap det_ctx_event_table[] = {
 #ifdef UNITTESTS
-    { "TEST",                       DET_CTX_EVENT_TEST },
+    { "TEST", DET_CTX_EVENT_TEST },
 #endif
-    { "NO_MEMORY",                  FILE_DECODER_EVENT_NO_MEM },
-    { "INVALID_SWF_LENGTH",         FILE_DECODER_EVENT_INVALID_SWF_LENGTH },
-    { "INVALID_SWF_VERSION",        FILE_DECODER_EVENT_INVALID_SWF_VERSION },
-    { "Z_DATA_ERROR",               FILE_DECODER_EVENT_Z_DATA_ERROR },
-    { "Z_STREAM_ERROR",             FILE_DECODER_EVENT_Z_STREAM_ERROR },
-    { "Z_BUF_ERROR",                FILE_DECODER_EVENT_Z_BUF_ERROR },
-    { "Z_UNKNOWN_ERROR",            FILE_DECODER_EVENT_Z_UNKNOWN_ERROR },
-    { "LZMA_DECODER_ERROR",         FILE_DECODER_EVENT_LZMA_DECODER_ERROR },
-    { "LZMA_MEMLIMIT_ERROR",        FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR },
-    { "LZMA_OPTIONS_ERROR",         FILE_DECODER_EVENT_LZMA_OPTIONS_ERROR },
-    { "LZMA_FORMAT_ERROR",          FILE_DECODER_EVENT_LZMA_FORMAT_ERROR },
-    { "LZMA_DATA_ERROR",            FILE_DECODER_EVENT_LZMA_DATA_ERROR },
-    { "LZMA_BUF_ERROR",             FILE_DECODER_EVENT_LZMA_BUF_ERROR },
-    { "LZMA_UNKNOWN_ERROR",         FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR },
-    { NULL,                         -1 },
+    { "NO_MEMORY", FILE_DECODER_EVENT_NO_MEM },
+    { "INVALID_SWF_LENGTH", FILE_DECODER_EVENT_INVALID_SWF_LENGTH },
+    { "INVALID_SWF_VERSION", FILE_DECODER_EVENT_INVALID_SWF_VERSION },
+    { "Z_DATA_ERROR", FILE_DECODER_EVENT_Z_DATA_ERROR },
+    { "Z_STREAM_ERROR", FILE_DECODER_EVENT_Z_STREAM_ERROR },
+    { "Z_BUF_ERROR", FILE_DECODER_EVENT_Z_BUF_ERROR },
+    { "Z_UNKNOWN_ERROR", FILE_DECODER_EVENT_Z_UNKNOWN_ERROR },
+    { "LZMA_DECODER_ERROR", FILE_DECODER_EVENT_LZMA_DECODER_ERROR },
+    { "LZMA_MEMLIMIT_ERROR", FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR },
+    { "LZMA_OPTIONS_ERROR", FILE_DECODER_EVENT_LZMA_OPTIONS_ERROR },
+    { "LZMA_FORMAT_ERROR", FILE_DECODER_EVENT_LZMA_FORMAT_ERROR },
+    { "LZMA_DATA_ERROR", FILE_DECODER_EVENT_LZMA_DATA_ERROR },
+    { "LZMA_BUF_ERROR", FILE_DECODER_EVENT_LZMA_BUF_ERROR },
+    { "LZMA_UNKNOWN_ERROR", FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR },
+    {
+            "TOO_MANY_BUFFERS",
+            DETECT_EVENT_TOO_MANY_BUFFERS,
+    },
+    { NULL, -1 },
 };
 
 /** \brief register inspect engine at start up time
@@ -1091,6 +1095,11 @@ static InspectionBufferMultipleForList *InspectionBufferGetMulti(
 InspectionBuffer *InspectionBufferMultipleForListGet(
         DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
 {
+    if (unlikely(local_id >= 1024)) {
+        DetectEngineSetEvent(det_ctx, DETECT_EVENT_TOO_MANY_BUFFERS);
+        return NULL;
+    }
+
     InspectionBufferMultipleForList *fb = InspectionBufferGetMulti(det_ctx, list_id);
 
     if (local_id >= fb->size) {

diff --git a/src/detect.h b/src/detect.h
index 80958169466aa84ec27b45a667b1124a7222e72b..97f089b82dadb7738b24c43050658615c44ee178 100644 (file)
--- a/src/detect.h
+++ b/src/detect.h
@@ -1240,6 +1240,8 @@ enum {
     FILE_DECODER_EVENT_LZMA_DATA_ERROR,
     FILE_DECODER_EVENT_LZMA_BUF_ERROR,
     FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR,
+
+    DETECT_EVENT_TOO_MANY_BUFFERS,
 };
 
 #define SIG_GROUP_HEAD_HAVERAWSTREAM    BIT_U32(0)