lua: Add config override for lua sandbox limits

diff --git a/src/detect-lua.c b/src/detect-lua.c
index 023aee82baeebded4cc08cdcdb44dd4174b3648a..360b61b20d2cb6e3044d3ea2affa68b5cc755631 100644 (file)
--- a/src/detect-lua.c
+++ b/src/detect-lua.c
@@ -98,9 +98,6 @@ static void DetectLuaRegisterTests(void);
 static void DetectLuaFree(DetectEngineCtx *, void *);
 static int g_smtp_generic_list_id = 0;
 
-// TODO: move to config
-static const uint64_t g_lua_alloc_limit = 500000, g_lua_instruction_limit = 500000;
-
 /**
  * \brief Registration function for keyword: lua
  */
@@ -153,6 +150,10 @@ void DetectLuaRegister(void)
 #define FLAG_DATATYPE_BUFFER                    BIT_U32(22)
 #define FLAG_ERROR_LOGGED                       BIT_U32(23)
 
+// TODO: move to config
+#define DEFAULT_LUA_ALLOC_LIMIT       500000
+#define DEFAULT_LUA_INSTRUCTION_LIMIT 500000
+
 #if 0
 /** \brief dump stack from lua state to screen */
 void LuaDumpStack(lua_State *state)
@@ -483,7 +484,7 @@ static void *DetectLuaThreadInit(void *data)
     t->alproto = lua->alproto;
     t->flags = lua->flags;
 
-    t->luastate = sb_newstate(g_lua_alloc_limit, g_lua_instruction_limit);
+    t->luastate = sb_newstate(lua->alloc_limit, lua->instruction_limit);
     if (t->luastate == NULL) {
         SCLogError("luastate pool depleted");
         goto error;
@@ -585,7 +586,7 @@ static int DetectLuaSetupPrime(DetectEngineCtx *de_ctx, DetectLuaData *ld, const
 {
     int status;
 
-    lua_State *luastate = sb_newstate(g_lua_alloc_limit, g_lua_instruction_limit);
+    lua_State *luastate = sb_newstate(ld->alloc_limit, ld->instruction_limit);
     if (luastate == NULL)
         return -1;
     luaL_openlibs(luastate); // TODO: get sandbox config and load appropriate libs
@@ -902,6 +903,14 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, const char *st
     if (lua == NULL)
         goto error;
 
+    /* Load lua sandbox configurations */
+    intmax_t lua_alloc_limit = DEFAULT_LUA_ALLOC_LIMIT;
+    intmax_t lua_instruction_limit = DEFAULT_LUA_INSTRUCTION_LIMIT;
+    (void)ConfGetInt("security.lua.max-bytes", &lua_alloc_limit);
+    (void)ConfGetInt("security.lua.max-instructions", &lua_instruction_limit);
+    lua->alloc_limit = lua_alloc_limit;
+    lua->instruction_limit = lua_instruction_limit;
+
     if (DetectLuaSetupPrime(de_ctx, lua, s) == -1) {
         goto error;
     }

diff --git a/src/detect-lua.h b/src/detect-lua.h
index 104c631fe35580e8ea8c6677a68bb6357530773a..5ec3c010229f72f1d79913ca33baf432ab9512fd 100644 (file)
--- a/src/detect-lua.h
+++ b/src/detect-lua.h
@@ -55,6 +55,8 @@ typedef struct DetectLuaData {
     uint32_t sid;
     uint32_t rev;
     uint32_t gid;
+    uint64_t alloc_limit;
+    uint64_t instruction_limit;
 } DetectLuaData;
 
 #endif /* HAVE_LUA */

diff --git a/src/util-lua-sandbox.c b/src/util-lua-sandbox.c
index 0fcb1dd2c1b5be945f62a405b859d6383d0f7285..f0c1b7ea0f0b11fb2fca1bf61c7410f3eaf6d0ee 100644 (file)
--- a/src/util-lua-sandbox.c
+++ b/src/util-lua-sandbox.c
@@ -64,8 +64,9 @@ static void *sb_alloc(void *ud, void *ptr, size_t osize, size_t nsize)
             return NULL;
         }
         void *nptr = SCRealloc(ptr, nsize);
-
-        ctx->alloc_bytes += nsize;
+        if (nptr != NULL) {
+            ctx->alloc_bytes += nsize;
+        }
         return nptr;
     }
 }
@@ -77,7 +78,7 @@ static const luaL_Reg sb_restrictedlibs[] = { { LUA_GNAME, luaopen_base },
     //  {LUA_LOADLIBNAME, luaopen_package},
     //  {LUA_COLIBNAME, luaopen_coroutine},
     { LUA_TABLIBNAME, luaopen_table },
-    //{LUA_IOLIBNAME, luaopen_io},
+    //  {LUA_IOLIBNAME, luaopen_io},
     //  {LUA_OSLIBNAME, luaopen_os},
     { LUA_STRLIBNAME, luaopen_string }, { LUA_MATHLIBNAME, luaopen_math },
     { LUA_UTF8LIBNAME, luaopen_utf8 },
@@ -144,7 +145,7 @@ lua_State *sb_newstate(uint64_t alloclimit, uint64_t instructionlimit)
     sb->L = lua_newstate(sb_alloc, sb); /* create state */
     if (sb->L == NULL) {
         // TODO: log or error code?
-        free(sb);
+        SCFree(sb);
         return NULL;
     }