From: Anna Norokh -X (anorokh - SOFTSERVE INC at Cisco) Date: Fri, 16 Feb 2024 19:42:06 +0000 (+0000) Subject: Pull request #4196: http_inspect: add check to handle situation when reload takes... X-Git-Tag: 3.1.81.0~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1d95c0ad7b1d033a8abc910c45aa275d7b7ef84e;p=thirdparty%2Fsnort3.git Pull request #4196: http_inspect: add check to handle situation when reload takes place inside transaction unit Merge in SNORT/snort3 from ~ANOROKH/snort3:js_conf_reload to master Squashed commit of the following: commit 21b4f72d313794eb71460a233fb68475cc71b67f Author: Anna Norokh Date: Tue Feb 6 15:38:08 2024 +0200 service_inspectors: add check for JSNorm config actuality * added check to pop, imap and smtp inspectors to recreate or delete normalizer in case of config reload commit f3d87c8ab8e468adffed4be9ce9a12873ebfbd55 Author: Andrii Serbeniuk Date: Fri Jan 26 16:34:07 2024 +0200 http_inspect: recreate JSNorm if reload takes place inside transaction * add generation_id field to JSNorm obj to track creation reload_id; --- diff --git a/src/js_norm/js_norm.cc b/src/js_norm/js_norm.cc index ba1959271..07ed4983a 100644 --- a/src/js_norm/js_norm.cc +++ b/src/js_norm/js_norm.cc @@ -61,9 +61,9 @@ const char* jsn::ret2str(int r) return jsret_codes[ret]; } -JSNorm::JSNorm(JSNormConfig* jsn_config, bool ext_script_type) : - alive(true), pdu_cnt(0), src_ptr(nullptr), src_end(nullptr), - idn_ctx(nullptr), jsn_ctx(nullptr), ext_script_type(ext_script_type) +JSNorm::JSNorm(JSNormConfig* jsn_config, bool ext_script_type, uint32_t generation_id) : + alive(true), pdu_cnt(0), src_ptr(nullptr), src_end(nullptr), idn_ctx(nullptr), + jsn_ctx(nullptr), ext_script_type(ext_script_type), generation_id(generation_id) { config = jsn_config; alive = (bool)config; diff --git a/src/js_norm/js_norm.h b/src/js_norm/js_norm.h index 64fa0be09..5c90cd20e 100644 --- a/src/js_norm/js_norm.h +++ b/src/js_norm/js_norm.h @@ -39,7 +39,7 @@ namespace snort class SO_PUBLIC JSNorm { public: - JSNorm(JSNormConfig*, bool ext_script_type = false); + JSNorm(JSNormConfig*, bool ext_script_type = false, uint32_t generation_id = 0); JSNorm(const JSNorm&) = delete; virtual ~JSNorm(); @@ -51,6 +51,9 @@ public: void flush_data(const void*&, size_t&); void flush_data(); + uint32_t get_generation_id() const + { return generation_id; } + protected: virtual bool pre_proc(); virtual bool post_proc(int); @@ -67,6 +70,7 @@ protected: JSEvents events; JSNormConfig* config; + uint32_t generation_id; }; } diff --git a/src/js_norm/js_pdf_norm.h b/src/js_norm/js_pdf_norm.h index 332ca026d..74b92f2e3 100644 --- a/src/js_norm/js_pdf_norm.h +++ b/src/js_norm/js_pdf_norm.h @@ -40,8 +40,9 @@ public: return magic_len < len and !strncmp((const char*)data, magic, magic_len); } - PDFJSNorm(JSNormConfig* cfg) : - JSNorm(cfg), pdf_in(&buf_pdf_in), pdf_out(&buf_pdf_out), extractor(pdf_in, pdf_out) + PDFJSNorm(JSNormConfig* cfg, uint32_t gen_id) : + JSNorm(cfg, false, gen_id), + pdf_in(&buf_pdf_in), pdf_out(&buf_pdf_out), extractor(pdf_in, pdf_out) { } protected: diff --git a/src/service_inspectors/http_inspect/http_js_norm.h b/src/service_inspectors/http_inspect/http_js_norm.h index f99fe1a01..fa697700e 100644 --- a/src/service_inspectors/http_inspect/http_js_norm.h +++ b/src/service_inspectors/http_inspect/http_js_norm.h @@ -63,8 +63,9 @@ class HttpInlineJSNorm : public snort::JSNorm, public HttpJSNorm { public: HttpInlineJSNorm(JSNormConfig* jsn_config, uint64_t tid, snort::SearchTool* mpse_open_tag, - snort::SearchTool* mpse_tag_attr) : - JSNorm(jsn_config), mpse_otag(mpse_open_tag), mpse_attr(mpse_tag_attr), output_size(0), ext_ref_type(false) + snort::SearchTool* mpse_tag_attr, uint32_t gen_id) : + JSNorm(jsn_config, false, gen_id), mpse_otag(mpse_open_tag), + mpse_attr(mpse_tag_attr), output_size(0), ext_ref_type(false) { trans_num = tid; } snort::JSNorm& ctx() override @@ -84,7 +85,8 @@ private: class HttpExternalJSNorm : public snort::JSNorm, public HttpJSNorm { public: - HttpExternalJSNorm(JSNormConfig* jsn_config, uint64_t tid) : JSNorm(jsn_config) + HttpExternalJSNorm(JSNormConfig* jsn_config, uint64_t tid, uint32_t gen_id) : + JSNorm(jsn_config, false, gen_id) { trans_num = tid; } snort::JSNorm& ctx() override @@ -98,8 +100,8 @@ protected: class HttpPDFJSNorm : public snort::PDFJSNorm, public HttpJSNorm { public: - HttpPDFJSNorm(JSNormConfig* jsn_config, uint64_t tid) : - PDFJSNorm(jsn_config) + HttpPDFJSNorm(JSNormConfig* jsn_config, uint64_t tid, uint32_t gen_id) : + PDFJSNorm(jsn_config, gen_id) { trans_num = tid; } snort::JSNorm& ctx() override diff --git a/src/service_inspectors/http_inspect/http_msg_body.cc b/src/service_inspectors/http_inspect/http_msg_body.cc index 92c7cd553..d4e90712b 100644 --- a/src/service_inspectors/http_inspect/http_msg_body.cc +++ b/src/service_inspectors/http_inspect/http_msg_body.cc @@ -473,7 +473,8 @@ HttpJSNorm* HttpMsgBody::acquire_js_ctx() if (js_ctx) { - if (js_ctx->get_trans_num() == trans_num) + if (js_ctx->get_trans_num() == trans_num and + js_ctx->ctx().get_generation_id() == SnortConfig::get_conf()->get_reload_id()) return js_ctx; delete js_ctx; @@ -506,22 +507,24 @@ HttpJSNorm* HttpMsgBody::acquire_js_ctx() case CT_TEXT_JSCRIPT: case CT_TEXT_LIVESCRIPT: // an external script should be processed from the beginning - js_ctx = first_body ? new HttpExternalJSNorm(jsn_config, trans_num) : nullptr; + js_ctx = first_body ? new HttpExternalJSNorm(jsn_config, trans_num, + SnortConfig::get_conf()->get_reload_id()) : nullptr; break; case CT_APPLICATION_XHTML_XML: case CT_TEXT_HTML: js_ctx = new HttpInlineJSNorm(jsn_config, trans_num, params->js_norm_param.mpse_otag, - params->js_norm_param.mpse_attr); + params->js_norm_param.mpse_attr, SnortConfig::get_conf()->get_reload_id()); break; case CT_APPLICATION_PDF: - js_ctx = new HttpPDFJSNorm(jsn_config, trans_num); + js_ctx = new HttpPDFJSNorm(jsn_config, trans_num, SnortConfig::get_conf()->get_reload_id()); break; case CT_APPLICATION_OCTET_STREAM: - js_ctx = first_body and HttpPDFJSNorm::is_pdf(decompressed_file_body.start(), decompressed_file_body.length()) ? - new HttpPDFJSNorm(jsn_config, trans_num) : nullptr; + js_ctx = first_body and + HttpPDFJSNorm::is_pdf(decompressed_file_body.start(), decompressed_file_body.length()) ? + new HttpPDFJSNorm(jsn_config, trans_num, SnortConfig::get_conf()->get_reload_id()) : nullptr; break; } @@ -535,7 +538,8 @@ HttpJSNorm* HttpMsgBody::acquire_js_ctx_mime() if (js_ctx) { - if (js_ctx->get_trans_num() == trans_num) + if (js_ctx->get_trans_num() == trans_num and + js_ctx->ctx().get_generation_id() == SnortConfig::get_conf()->get_reload_id()) return js_ctx; delete js_ctx; @@ -544,7 +548,7 @@ HttpJSNorm* HttpMsgBody::acquire_js_ctx_mime() JSNormConfig* jsn_config = get_inspection_policy()->jsn_config; js_ctx = HttpPDFJSNorm::is_pdf(decompressed_file_body.start(), decompressed_file_body.length()) ? - new HttpPDFJSNorm(jsn_config, trans_num) : nullptr; + new HttpPDFJSNorm(jsn_config, trans_num, SnortConfig::get_conf()->get_reload_id()) : nullptr; session_data->js_ctx_mime[source_id] = js_ctx; return js_ctx; diff --git a/src/service_inspectors/imap/imap.cc b/src/service_inspectors/imap/imap.cc index e34484567..5617f46c3 100644 --- a/src/service_inspectors/imap/imap.cc +++ b/src/service_inspectors/imap/imap.cc @@ -173,13 +173,18 @@ static IMAPData* get_session_data(Flow* flow) static inline PDFJSNorm* acquire_js_ctx(IMAPData& imap_ssn, const void* data, size_t len) { - if (imap_ssn.jsn) + auto reload_id = SnortConfig::get_conf()->get_reload_id(); + + if (imap_ssn.jsn and imap_ssn.jsn->get_generation_id() == reload_id) return imap_ssn.jsn; + delete imap_ssn.jsn; + imap_ssn.jsn = nullptr; + JSNormConfig* cfg = get_inspection_policy()->jsn_config; if (cfg and PDFJSNorm::is_pdf(data, len)) { - imap_ssn.jsn = new PDFJSNorm(cfg); + imap_ssn.jsn = new PDFJSNorm(cfg, reload_id); ++imapstats.js_pdf_scripts; } diff --git a/src/service_inspectors/pop/pop.cc b/src/service_inspectors/pop/pop.cc index 71a1d105f..cfea8852a 100644 --- a/src/service_inspectors/pop/pop.cc +++ b/src/service_inspectors/pop/pop.cc @@ -130,13 +130,18 @@ static POPData* get_session_data(Flow* flow) static inline PDFJSNorm* acquire_js_ctx(POPData& pop_ssn, const void* data, size_t len) { - if (pop_ssn.jsn) + auto reload_id = SnortConfig::get_conf()->get_reload_id(); + + if (pop_ssn.jsn and pop_ssn.jsn->get_generation_id() == reload_id) return pop_ssn.jsn; + delete pop_ssn.jsn; + pop_ssn.jsn = nullptr; + JSNormConfig* cfg = get_inspection_policy()->jsn_config; if (cfg and PDFJSNorm::is_pdf(data, len)) { - pop_ssn.jsn = new PDFJSNorm(cfg); + pop_ssn.jsn = new PDFJSNorm(cfg, reload_id); ++popstats.js_pdf_scripts; } diff --git a/src/service_inspectors/smtp/smtp.cc b/src/service_inspectors/smtp/smtp.cc index 5f9348e75..9f9c8b0be 100644 --- a/src/service_inspectors/smtp/smtp.cc +++ b/src/service_inspectors/smtp/smtp.cc @@ -229,13 +229,18 @@ static SMTPData* get_session_data(Flow* flow) static inline PDFJSNorm* acquire_js_ctx(SMTPData& smtp_ssn, const void* data, size_t len) { - if (smtp_ssn.jsn) + auto reload_id = SnortConfig::get_conf()->get_reload_id(); + + if (smtp_ssn.jsn and smtp_ssn.jsn->get_generation_id() == reload_id) return smtp_ssn.jsn; + delete smtp_ssn.jsn; + smtp_ssn.jsn = nullptr; + JSNormConfig* cfg = get_inspection_policy()->jsn_config; if (cfg and PDFJSNorm::is_pdf(data, len)) { - smtp_ssn.jsn = new PDFJSNorm(cfg); + smtp_ssn.jsn = new PDFJSNorm(cfg, reload_id); ++smtpstats.js_pdf_scripts; }