From: Victor Julien <vjulien@oisf.net>
Date: Thu, 20 Oct 2022 13:14:26 +0000 (+0200)
Subject: decode: enforce layer limit through tunnel layers
X-Git-Tag: suricata-6.0.9~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=64adb30b5cc78b49e80608508b349a105aca460b;p=thirdparty%2Fsuricata.git

decode: enforce layer limit through tunnel layers

Bug: #5686.
Bug: #5688.
---

diff --git a/src/decode.c b/src/decode.c
index db7cefa9ec..ddd83f066b 100644
--- a/src/decode.c
+++ b/src/decode.c
@@ -67,6 +67,7 @@
 #include "output.h"
 #include "output-flow.h"
 #include "flow-storage.h"
+#include "util-validate.h"
 
 uint32_t default_packet_size = 0;
 extern bool stats_decoder_events;
@@ -309,6 +310,11 @@ Packet *PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *pare
 
     SCEnter();
 
+    if (parent->nb_decoded_layers + 1 >= decoder_max_layers) {
+        ENGINE_SET_INVALID_EVENT(parent, GENERIC_TOO_MANY_LAYERS);
+        SCReturnPtr(NULL, "Packet");
+    }
+
     /* get us a packet */
     Packet *p = PacketGetFromQueueOrAlloc();
     if (unlikely(p == NULL)) {
@@ -317,7 +323,10 @@ Packet *PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *pare
 
     /* copy packet and set length, proto */
     PacketCopyData(p, pkt, len);
+    DEBUG_VALIDATE_BUG_ON(parent->recursion_level == 255);
     p->recursion_level = parent->recursion_level + 1;
+    DEBUG_VALIDATE_BUG_ON(parent->nb_decoded_layers >= decoder_max_layers);
+    p->nb_decoded_layers = parent->nb_decoded_layers + 1;
     p->ts.tv_sec = parent->ts.tv_sec;
     p->ts.tv_usec = parent->ts.tv_usec;
     p->datalink = DLT_RAW;