From: Philippe Antoine <contact@catenacyber.fr>
Date: Wed, 12 Jan 2022 20:58:47 +0000 (+0100)
Subject: mqtt: make max transactions configurable
X-Git-Tag: suricata-6.0.7~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=18c616394ebee4c4ef183e890f4a3432994bb39b;p=thirdparty%2Fsuricata.git

mqtt: make max transactions configurable

Allows users to find balance between completeness of decoding
and increases resource consumption, which can DOS suricata.

(cherry picked from commit e42094f238aa388d05970993fd0de8194471fa60)
---

diff --git a/rust/src/mqtt/mqtt.rs b/rust/src/mqtt/mqtt.rs
index d8a21657b3..16fc607d96 100644
--- a/rust/src/mqtt/mqtt.rs
+++ b/rust/src/mqtt/mqtt.rs
@@ -23,6 +23,7 @@ use crate::applayer::{self, LoggerFlags};
 use crate::applayer::*;
 use crate::core::{self, AppProto, Flow, ALPROTO_FAILED, ALPROTO_UNKNOWN, IPPROTO_TCP};
 use num_traits::FromPrimitive;
+use crate::conf::conf_get;
 use nom;
 use std;
 use std::ffi::{CStr,CString};
@@ -37,8 +38,7 @@ const MQTT_CONNECT_PKT_ID: u32 = std::u32::MAX;
 // this value, it will be truncated. Default: 1MB.
 static mut MAX_MSG_LEN: u32 = 1048576;
 
-//TODO make this configurable
-const MQTT_MAX_TX: usize = 1024;
+static mut MQTT_MAX_TX: usize = 1024;
 
 static mut ALPROTO_MQTT: AppProto = ALPROTO_UNKNOWN;
 
@@ -182,7 +182,7 @@ impl MQTTState {
         } else {
             tx.toserver = true;
         }
-        if self.transactions.len() > MQTT_MAX_TX {
+        if self.transactions.len() > unsafe { MQTT_MAX_TX } {
             for tx_old in &mut self.transactions {
                 if !tx_old.complete {
                     tx_old.complete = true;
@@ -869,6 +869,13 @@ pub unsafe extern "C" fn rs_mqtt_register_parser(cfg_max_msg_len: u32) {
         if AppLayerParserConfParserEnabled(ip_proto_str.as_ptr(), parser.name) != 0 {
             let _ = AppLayerRegisterParser(&parser, alproto);
         }
+        if let Some(val) = conf_get("app-layer.protocols.mqtt.max-tx") {
+            if let Ok(v) = val.parse::<usize>() {
+                MQTT_MAX_TX = v;
+            } else {
+                SCLogError!("Invalid value for mqtt.max-tx");
+            }
+        }
     } else {
         SCLogDebug!("Protocol detector and parser disabled for MQTT.");
     }
diff --git a/suricata.yaml.in b/suricata.yaml.in
index 13bb75caf6..c2056dc89e 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -738,6 +738,8 @@ app-layer:
       # max-msg-length: 1mb
       # subscribe-topic-match-limit: 100
       # unsubscribe-topic-match-limit: 100
+      # Maximum number of live MQTT transactions per flow
+      # max-tx: 4096
     krb5:
       enabled: yes
     snmp: