From: Philippe Antoine Date: Thu, 22 Feb 2024 09:14:36 +0000 (+0100) Subject: ssh: avoid quadratic complexity from long banner X-Git-Tag: suricata-8.0.0-beta1~1607 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=271ed2008bb7392ca2803ab6dac8952491616151;p=thirdparty%2Fsuricata.git ssh: avoid quadratic complexity from long banner Ticket: 6799 When we find an overlong banner, we get into the state just waiting for end of line, and we just want to skip the bytes until then. Returning AppLayerResult::incomplete made TCP engine retain the bytes and grow the buffer that we parsed again and again... --- diff --git a/rust/src/ssh/ssh.rs b/rust/src/ssh/ssh.rs index 6280e0b6ac..55f8426b4e 100644 --- a/rust/src/ssh/ssh.rs +++ b/rust/src/ssh/ssh.rs @@ -256,7 +256,9 @@ impl SSHState { return r; } Err(Err::Incomplete(_)) => { - return AppLayerResult::incomplete(0_u32, (input.len() + 1) as u32); + // we do not need to retain these bytes + // we parsed them, we skip them + return AppLayerResult::ok(); } Err(_e) => { SCLogDebug!("SSH invalid banner {}", _e);