From: Philippe Antoine Date: Tue, 7 Jan 2025 15:55:35 +0000 (+0100) Subject: fuzz: use lower pcre limits X-Git-Tag: suricata-8.0.0-beta1~612 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7750226e435228dca21ae6c22860921aa0497883;p=thirdparty%2Fsuricata.git fuzz: use lower pcre limits to avoid timeouts instead of forbidding pcre signatures on stream Ticket: 4858 --- diff --git a/src/detect-content.c b/src/detect-content.c index 9625e7426d..6d3852ecc5 100644 --- a/src/detect-content.c +++ b/src/detect-content.c @@ -453,25 +453,6 @@ void SigParseRequiredContentSize( */ bool DetectContentPMATCHValidateCallback(const Signature *s) { -#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION - bool has_pcre = false; - bool has_content = false; - for (SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH]; sm != NULL; sm = sm->next) { - if (sm->type == DETECT_PCRE) { - has_pcre = true; - } else if (sm->type == DETECT_CONTENT) { - has_content = true; - break; - } - } - if (has_pcre && !has_content) { - // Fuzzing does not allow rules with pcre and without content on payload - // as it is known to be a bad rule for performance causing possible timeouts - // Engine analysis has more generic warn_pcre_no_content about this - return false; - } -#endif - if (!(s->flags & SIG_FLAG_DSIZE)) { return true; } diff --git a/src/detect-pcre.h b/src/detect-pcre.h index 74131ba7db..dc20f4194c 100644 --- a/src/detect-pcre.h +++ b/src/detect-pcre.h @@ -36,8 +36,13 @@ #define DETECT_PCRE_CAPTURE_MAX 8 +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION +#define SC_MATCH_LIMIT_DEFAULT 350 +#define SC_MATCH_LIMIT_RECURSION_DEFAULT 150 +#else #define SC_MATCH_LIMIT_DEFAULT 3500 #define SC_MATCH_LIMIT_RECURSION_DEFAULT 1500 +#endif typedef struct DetectPcreData_ { DetectParseRegex parse_regex;