From: Russ Combs (rucombs) <rucombs@cisco.com>
Date: Wed, 6 Oct 2021 12:33:25 +0000 (+0000)
Subject: Merge pull request #3076 in SNORT/snort3 from ~BRASTULT/snort3:decompress_depth to... 
X-Git-Tag: 3.1.14.0~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=78c71364a52e8b3cd14b5e68fb2aaeac0fe5e468;p=thirdparty%2Fsnort3.git

Merge pull request #3076 in SNORT/snort3 from ~BRASTULT/snort3:decompress_depth to master

Squashed commit of the following:

commit d056c241b14ced1f3357bd7c35f9ae2aea69ec85
Author: Brandon Stultz <brastult@cisco.com>
Date:   Mon Sep 20 18:02:37 2021 -0400

    lua: fix Talos tweak snaplen

commit 3f4aa706fea3ea693f3a9b008d5e548a169519c7
Author: Brandon Stultz <brastult@cisco.com>
Date:   Fri Sep 17 14:02:13 2021 -0400

    file_api: add decompress_buffer_size
---

diff --git a/lua/talos.lua b/lua/talos.lua
index a165fc4b3..afa0a8f86 100644
--- a/lua/talos.lua
+++ b/lua/talos.lua
@@ -13,25 +13,14 @@ function file_exists(name)
     end
 end
 
-daq =
+snort =
 {
-    modules =
-    {
-        {
-            name = 'pcap',
-            mode = 'read-file'
-        },
-        {
-            name = 'dump',
-            variables = { 'output=none' }
-        },
-    },
-    snaplen = 65535
+    ['-Q'] = true,
+    ['-s'] = 65535,
+    ['--daq'] = 'dump',
+    ['--daq-var'] = 'output=none'
 }
 
-snort = { }
-snort['-Q'] = true
-
 if file_exists('local.rules') then
     snort['-R'] = 'local.rules'
 end
diff --git a/src/file_api/file_module.cc b/src/file_api/file_module.cc
index 32925f0d0..bb94996de 100644
--- a/src/file_api/file_module.cc
+++ b/src/file_api/file_module.cc
@@ -196,13 +196,16 @@ static const Parameter file_id_params[] =
       "Non-Encoded MIME attachment extraction depth (-1 no limit)" },
 
     { "decompress_pdf", Parameter::PT_BOOL, nullptr, "false",
-      "decompress pdf files in MIME attachments" },
+      "decompress pdf files" },
 
     { "decompress_swf", Parameter::PT_BOOL, nullptr, "false",
-      "decompress swf files in MIME attachments" },
+      "decompress swf files" },
 
     { "decompress_zip", Parameter::PT_BOOL, nullptr, "false",
-      "decompress zip files in MIME attachments" },
+      "decompress zip files" },
+
+    { "decompress_buffer_size", Parameter::PT_INT, "1024:max31", "100000",
+      "file decompression buffer size" },
 
     { "qp_decode_depth", Parameter::PT_INT, "-1:65535", "-1",
       "Quoted Printable decoding depth (-1 no limit)" },
@@ -346,6 +349,9 @@ bool FileIdModule::set(const char*, Value& v, SnortConfig*)
     else if ( v.is("decompress_zip") )
         FileService::decode_conf.set_decompress_zip(v.get_bool());
 
+    else if ( v.is("decompress_buffer_size") )
+        FileService::decode_conf.set_decompress_buffer_size(v.get_uint32());
+
     else if (v.is("b64_decode_depth"))
     {
         int32_t value = v.get_int32();
diff --git a/src/mime/decode_buffer.cc b/src/mime/decode_buffer.cc
index e0c890416..f44ee018e 100644
--- a/src/mime/decode_buffer.cc
+++ b/src/mime/decode_buffer.cc
@@ -24,6 +24,7 @@
 
 #include "decode_buffer.h"
 
+#include "file_mime_config.h"
 #include "utils/util.h"
 
 void DecodeBuffer::reset_saved()
@@ -93,8 +94,6 @@ uint32_t DecodeBuffer::get_encode_avail()
     }
 }
 
-#define MAX_DEPTH       65536
-
 DecodeBuffer::DecodeBuffer(int max_depth)
 {
     if (!max_depth)
diff --git a/src/mime/file_mime_config.cc b/src/mime/file_mime_config.cc
index 1884c9501..9036cf10a 100644
--- a/src/mime/file_mime_config.cc
+++ b/src/mime/file_mime_config.cc
@@ -111,6 +111,16 @@ bool DecodeConfig::is_decompress_zip() const
     return decompress_zip;
 }
 
+void DecodeConfig::set_decompress_buffer_size(uint32_t size)
+{
+    decompress_buffer_size = size;
+}
+
+uint32_t DecodeConfig::get_decompress_buffer_size() const
+{
+    return decompress_buffer_size;
+}
+
 int64_t DecodeConfig::get_file_depth() const
 {
     return file_depth;
@@ -161,5 +171,6 @@ void DecodeConfig::show(bool full) const
     ConfigLogger::log_flag("decompress_pdf", decompress_pdf);
     ConfigLogger::log_flag("decompress_swf", decompress_swf);
     ConfigLogger::log_flag("decompress_zip", decompress_zip);
+    ConfigLogger::log_value("decompress_buffer_size", decompress_buffer_size);
 }
 
diff --git a/src/mime/file_mime_config.h b/src/mime/file_mime_config.h
index ad26160d0..189cc3134 100644
--- a/src/mime/file_mime_config.h
+++ b/src/mime/file_mime_config.h
@@ -27,10 +27,11 @@
 /*These are temporary values*/
 #define DEFAULT_MIME_MEMCAP           838860
 #define DEFAULT_DEPTH                 1464
+#define DEFAULT_DECOMP                100000
 #define MAX_LOG_MEMCAP                104857600
 #define MIN_LOG_MEMCAP                3276
 #define MIN_MIME_MEM                  3276
-#define MAX_DEPTH                     65535
+#define MAX_DEPTH                     65536
 #define MIN_DEPTH                     (-1)
 
 namespace snort
@@ -62,6 +63,9 @@ public:
     void set_decompress_zip(bool);
     bool is_decompress_zip() const;
 
+    void set_decompress_buffer_size(uint32_t);
+    uint32_t get_decompress_buffer_size() const;
+
     int64_t get_file_depth() const;
     bool is_decoding_enabled() const;
     void sync_all_depths();
@@ -77,6 +81,7 @@ private:
     bool decompress_pdf = false;
     bool decompress_swf = false;
     bool decompress_zip = false;
+    uint32_t decompress_buffer_size = DEFAULT_DECOMP;
     int64_t file_depth = MIN_DEPTH;
     bool decode_enabled = true;
 };
diff --git a/src/mime/file_mime_context_data.cc b/src/mime/file_mime_context_data.cc
index de835deff..c78590f81 100644
--- a/src/mime/file_mime_context_data.cc
+++ b/src/mime/file_mime_context_data.cc
@@ -24,17 +24,19 @@
 #include "file_mime_context_data.h"
 
 #include "detection/detection_engine.h"
+#include "file_api/file_service.h"
 #include "utils/util.h"
 
 using namespace snort;
 
-#define MAX_DEPTH       65536
 unsigned MimeDecodeContextData::mime_ips_id = 0;
 
 MimeDecodeContextData::MimeDecodeContextData()
 {
     decode_buf = (uint8_t*)snort_alloc(MAX_DEPTH);
-    decompress_buf = (uint8_t*)snort_alloc(MAX_DEPTH);
+
+    decompress_buf_size = FileService::decode_conf.get_decompress_buffer_size();
+    decompress_buf = (uint8_t*)snort_alloc(decompress_buf_size);
 }
 
 MimeDecodeContextData::~MimeDecodeContextData()
@@ -62,3 +64,10 @@ uint8_t* MimeDecodeContextData::get_decompress_buf()
     return data->decompress_buf;
 }
 
+uint32_t MimeDecodeContextData::get_decompress_buf_size()
+{
+    MimeDecodeContextData* data = IpsContextData::get<MimeDecodeContextData>(mime_ips_id);
+
+    return data->decompress_buf_size;
+}
+
diff --git a/src/mime/file_mime_context_data.h b/src/mime/file_mime_context_data.h
index b6db3df80..646fe454e 100644
--- a/src/mime/file_mime_context_data.h
+++ b/src/mime/file_mime_context_data.h
@@ -32,10 +32,13 @@ public:
 
     uint8_t* decode_buf = nullptr;
     uint8_t* decompress_buf = nullptr;
+    uint32_t decompress_buf_size = 0;
 
     static void init();
+
     static uint8_t* get_decode_buf();
     static uint8_t* get_decompress_buf();
+    static uint32_t get_decompress_buf_size();
 };
 
 #endif
diff --git a/src/mime/file_mime_decode.cc b/src/mime/file_mime_decode.cc
index 4eca743a2..6efac6248 100644
--- a/src/mime/file_mime_decode.cc
+++ b/src/mime/file_mime_decode.cc
@@ -156,10 +156,11 @@ DecodeResult MimeDecode::decompress_data(const uint8_t* buf_in, uint32_t size_in
         return result;
 
     uint8_t* decompress_buf = MimeDecodeContextData::get_decompress_buf();
+    uint32_t decompress_buf_size = MimeDecodeContextData::get_decompress_buf_size();
     fd_state->Next_In = buf_in;
     fd_state->Avail_In = size_in;
     fd_state->Next_Out = decompress_buf;
-    fd_state->Avail_Out = MAX_DEPTH;
+    fd_state->Avail_Out = decompress_buf_size;
 
     const fd_status_t status = File_Decomp(fd_state);
 
diff --git a/src/service_inspectors/http_inspect/http_field.cc b/src/service_inspectors/http_inspect/http_field.cc
index edad4c17e..c9761bd82 100644
--- a/src/service_inspectors/http_inspect/http_field.cc
+++ b/src/service_inspectors/http_inspect/http_field.cc
@@ -56,7 +56,6 @@ void Field::set(int32_t length, const uint8_t* start, bool own_the_buffer_)
     assert(strt == nullptr);
     assert(start != nullptr);
     assert(length >= 0);
-    assert(length <= MAX_OCTETS);
     strt = start;
     len = length;
     own_the_buffer = own_the_buffer_;
diff --git a/src/service_inspectors/http_inspect/http_msg_body.cc b/src/service_inspectors/http_inspect/http_msg_body.cc
index 1ec84a0fe..fc16227c3 100644
--- a/src/service_inspectors/http_inspect/http_msg_body.cc
+++ b/src/service_inspectors/http_inspect/http_msg_body.cc
@@ -24,6 +24,7 @@
 #include "http_msg_body.h"
 
 #include "file_api/file_flows.h"
+#include "file_api/file_service.h"
 #include "pub_sub/http_request_body_event.h"
 
 #include "http_api.h"
@@ -248,13 +249,14 @@ void HttpMsgBody::do_file_decompression(const Field& input, Field& output)
         output.set(input);
         return;
     }
-    uint8_t* buffer = new uint8_t[MAX_OCTETS];
+    const uint32_t buffer_size = FileService::decode_conf.get_decompress_buffer_size();
+    uint8_t* buffer = new uint8_t[buffer_size];
     session_data->fd_alert_context.infractions = transaction->get_infractions(source_id);
     session_data->fd_alert_context.events = session_data->events[source_id];
     session_data->fd_state->Next_In = input.start();
     session_data->fd_state->Avail_In = (uint32_t)input.length();
     session_data->fd_state->Next_Out = buffer;
-    session_data->fd_state->Avail_Out = MAX_OCTETS;
+    session_data->fd_state->Avail_Out = buffer_size;
 
     const fd_status_t status = File_Decomp(session_data->fd_state);