From: Victor Julien <vjulien@oisf.net>
Date: Thu, 20 Oct 2022 13:14:26 +0000 (+0200)
Subject: decode: enforce layer limit through tunnel layers
X-Git-Tag: suricata-7.0.0-rc1~330
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=03d049dadce71b5e751dddd3bfddd3a2ccf7a21d;p=thirdparty%2Fsuricata.git

decode: enforce layer limit through tunnel layers

Bug: #5686.
---

diff --git a/src/decode.c b/src/decode.c
index a4e7e2a16a..fec718c64c 100644
--- a/src/decode.c
+++ b/src/decode.c
@@ -312,6 +312,11 @@ Packet *PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *pare
 
     SCEnter();
 
+    if (parent->nb_decoded_layers + 1 >= decoder_max_layers) {
+        ENGINE_SET_INVALID_EVENT(parent, GENERIC_TOO_MANY_LAYERS);
+        SCReturnPtr(NULL, "Packet");
+    }
+
     /* get us a packet */
     Packet *p = PacketGetFromQueueOrAlloc();
     if (unlikely(p == NULL)) {
@@ -320,7 +325,10 @@ Packet *PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *pare
 
     /* copy packet and set length, proto */
     PacketCopyData(p, pkt, len);
+    DEBUG_VALIDATE_BUG_ON(parent->recursion_level == 255);
     p->recursion_level = parent->recursion_level + 1;
+    DEBUG_VALIDATE_BUG_ON(parent->nb_decoded_layers >= decoder_max_layers);
+    p->nb_decoded_layers = parent->nb_decoded_layers + 1;
     p->ts.tv_sec = parent->ts.tv_sec;
     p->ts.tv_usec = parent->ts.tv_usec;
     p->datalink = DLT_RAW;