From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 22 Feb 2024 09:14:36 +0000 (+0100)
Subject: ssh: avoid quadratic complexity from long banner
X-Git-Tag: suricata-6.0.17~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a947228259541c6cec9dbbffdb4957d8af9e0621;p=thirdparty%2Fsuricata.git

ssh: avoid quadratic complexity from long banner

Ticket: 6799

When we find an overlong banner, we get into the state just
waiting for end of line, and we just want to skip the bytes
until then.
Returning AppLayerResult::incomplete made TCP engine retain
the bytes and grow the buffer that we parsed again and again...

(cherry picked from commit 271ed2008bb7392ca2803ab6dac8952491616151)
---

diff --git a/rust/src/ssh/ssh.rs b/rust/src/ssh/ssh.rs
index 18bb458e8d..ec8368d7ce 100644
--- a/rust/src/ssh/ssh.rs
+++ b/rust/src/ssh/ssh.rs
@@ -292,7 +292,9 @@ impl SSHState {
                     return r;
                 }
                 Err(nom::Err::Incomplete(_)) => {
-                    return AppLayerResult::incomplete(0 as u32, (input.len() + 1) as u32);
+                    // we do not need to retain these bytes
+                    // we parsed them, we skip them
+                    return AppLayerResult::ok();
                 }
                 Err(_e) => {
                     SCLogDebug!("SSH invalid banner {}", _e);