From: Philippe Antoine <contact@catenacyber.fr>
Date: Wed, 15 Apr 2020 12:31:37 +0000 (+0200)
Subject: http: adds debug check against too many warnings
X-Git-Tag: suricata-6.0.0-beta1~477
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=053c7288716a09e224cf96cb3e0d0b8d0260c72f;p=thirdparty%2Fsuricata.git

http: adds debug check against too many warnings
---

diff --git a/rules/http-events.rules b/rules/http-events.rules
index 279f0eea6d..023728c9aa 100644
--- a/rules/http-events.rules
+++ b/rules/http-events.rules
@@ -81,4 +81,6 @@ alert http any any -> any any (msg:"SURICATA HTTP duplicate content length field
 
 alert http any any -> any any (msg:"SURICATA HTTP compression bomb"; flow:established; app-layer-event:http.compression_bomb; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221049; rev:1;)
 
-# next sid 2221050
+alert http any any -> any any (msg:"SURICATA HTTP too many warnings"; flow:established; app-layer-event:http.too_many_warnings; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221050; rev:1;)
+
+# next sid 2221051
diff --git a/src/app-layer-htp.c b/src/app-layer-htp.c
index 1bf5b2fa17..acf005aefa 100644
--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@@ -87,6 +87,9 @@ static SCRadixTree *cfgtree;
 /** List of HTP configurations. */
 static HTPCfgRec cfglist;
 
+/** Limit to the number of libhtp messages that can be handled */
+#define HTP_MAX_MESSAGES 512
+
 SC_ATOMIC_DECLARE(uint32_t, htp_config_flags);
 
 #ifdef DEBUG
@@ -198,6 +201,9 @@ SCEnumCharMap http_decoder_event_table[ ] = {
     { "MULTIPART_INVALID_HEADER",
         HTTP_DECODER_EVENT_MULTIPART_INVALID_HEADER},
 
+    { "TOO_MANY_WARNINGS",
+        HTTP_DECODER_EVENT_TOO_MANY_WARNINGS},
+
     { NULL,                      -1 },
 };
 
@@ -689,6 +695,16 @@ static void HTPHandleError(HtpState *s, const uint8_t dir)
 
     size_t size = htp_list_size(s->conn->messages);
     size_t msg;
+    if(size >= HTP_MAX_MESSAGES) {
+        if (s->htp_messages_offset < HTP_MAX_MESSAGES) {
+            //only once per HtpState
+            HTPSetEvent(s, NULL, dir, HTTP_DECODER_EVENT_TOO_MANY_WARNINGS);
+            s->htp_messages_offset = HTP_MAX_MESSAGES;
+            DEBUG_VALIDATE_BUG_ON("Too many libhtp messages");
+        }
+        // ignore further messages
+        return;
+    }
 
     for (msg = s->htp_messages_offset; msg < size; msg++) {
         htp_log_t *log = htp_list_get(s->conn->messages, msg);
diff --git a/src/app-layer-htp.h b/src/app-layer-htp.h
index b83b8c914d..1b322c1c80 100644
--- a/src/app-layer-htp.h
+++ b/src/app-layer-htp.h
@@ -132,6 +132,8 @@ enum {
     HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR,
     HTTP_DECODER_EVENT_MULTIPART_NO_FILEDATA,
     HTTP_DECODER_EVENT_MULTIPART_INVALID_HEADER,
+
+    HTTP_DECODER_EVENT_TOO_MANY_WARNINGS,
 };
 
 typedef enum HtpSwfCompressType_ {