From: Philippe Antoine <pantoine@oisf.net>
Date: Wed, 27 Sep 2023 12:15:18 +0000 (+0200)
Subject: detect: check if signature uses too many buffers
X-Git-Tag: suricata-7.0.2~20
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=299ee6ed5561f01575150b436d5db31485dab146;p=thirdparty%2Fsuricata.git

detect: check if signature uses too many buffers

Ticket: #6104

The approach in master branch is to change the prototype of
SigMatchAppendSMToList so that it allocates itself the new SigMatch
This approach requires to change all the 100-ish calls to
SigMatchAppendSMToList and is thus quite a big change.

For branch 7, we still wanted to avoid the buffer overflow, but
did not want such an intrusive change, and still wanted to make
the signature invalid. Instead of changing the prototype of the
function, we make it return early, and set a flag in the signature
which can be later checked by SigValidate
---

diff --git a/src/detect-parse.c b/src/detect-parse.c
index 33d739300d..2e798d7b1c 100644
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -473,7 +473,8 @@ void SigMatchAppendSMToList(Signature *s, SigMatch *new, const int list)
                 s->init_data->curbuf == NULL) {
             if (SignatureInitDataBufferCheckExpand(s) < 0) {
                 SCLogError("failed to expand rule buffer array");
-                // return -1; TODO error handle
+                s->init_data->init_flags |= SIG_FLAG_INIT_OVERFLOW;
+                return;
             }
 
             /* initialize new buffer */
@@ -1904,6 +1905,11 @@ static int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
         SCReturnInt(0);
     }
 
+    if (s->init_data->init_flags & SIG_FLAG_INIT_OVERFLOW) {
+        SCLogError("rule %u tries to use too many buffers", s->id);
+        SCReturnInt(0);
+    }
+
     bool has_frame = false;
     bool has_app = false;
     bool has_pkt = false;
diff --git a/src/detect.h b/src/detect.h
index fd299c5047..69a5524e58 100644
--- a/src/detect.h
+++ b/src/detect.h
@@ -283,6 +283,7 @@ typedef struct DetectPort_ {
     BIT_U32(8) /**< priority is explicitly set by the priority keyword */
 #define SIG_FLAG_INIT_FILEDATA              BIT_U32(9)  /**< signature has filedata keyword */
 #define SIG_FLAG_INIT_JA3                   BIT_U32(10) /**< signature has ja3 keyword */
+#define SIG_FLAG_INIT_OVERFLOW              BIT_U32(11) /**< signature has overflown buffers */
 
 /* signature mask flags */
 /** \note: additions should be added to the rule analyzer as well */