Ilya Bakhtin [Mon, 15 Feb 2021 17:36:46 +0000 (18:36 +0100)]
protodetect: improve midstream handling
Set "done flag" only if parsers for both directions are not found in a
case of midstream parsers from other direction are tried if nothing is found
for the initial one. "done flag" must be set if nothing is found in both
directions. Otherwise processing of incomplete data is terminated at the very
first try.
Victor Julien [Sat, 13 Feb 2021 16:10:15 +0000 (17:10 +0100)]
host: improve compare logic
The old compare macro would compare all bytes of an address, even
when for IPv4 addresses the additional bytes were not in use. This
made the logic vulnerable to mistakes like in issue #4280.
Eric Leblond [Sun, 24 Jan 2021 21:40:02 +0000 (22:40 +0100)]
suricata: avoid at exit crash in nfq mode
When Suricata was build with ebpf support and when it was started
in NFQ mode, it was crashing at exit because it was trying to free
the device extension.
This patch fixes the issue by only trigger the eBPF related code
when Suricata is running in AFP_PACKET mode.
Victor Julien [Mon, 1 Feb 2021 21:23:47 +0000 (22:23 +0100)]
app-layer: fix transaction cleanup
Fix a 'skipped' transaction early in the list leading to all further
transactions getting skipped, even if they were fully processed and
ready to be cleaned up.
Victor Julien [Thu, 4 Feb 2021 13:48:11 +0000 (14:48 +0100)]
detect: fix heap overflow issue with buffer setup
In some cases, the InspectionBufferGet function would be followed by
a failure to set the buffer up, for example due to a HTTP body limit
not yet being reached. Yet each call to InspectionBufferGet would lead
to the matching list_id to be added to the
DetectEngineThreadCtx::inspect.to_clear_queue. This array is sized to
add each list only once, but in this case the same id could be added
multiple times, potentially overflowing the array.
Jason Ish [Fri, 18 Dec 2020 17:34:30 +0000 (11:34 -0600)]
filestore: fix global counter init in unix socket mode
Move initialization of filestore global counter to PreRunInit,
so they get registered during program initialization, or as
required in unix-socket mode, initialized for each file run.
Jeff Lucovsky [Tue, 12 Jan 2021 15:14:54 +0000 (10:14 -0500)]
lua: Use SC prefix for Lua functions
This commit adds additional Lua API interfaces to bring consistency to
functions such that the `SC` prefix is available consistently across
flow int and flow var functions.
Jason Ish [Wed, 30 Dec 2020 19:32:53 +0000 (13:32 -0600)]
mime: postpone md5 calculation to parse complete
Instead of calculating the MD5 at the end of every part, only
compute it when parsing is complete.
With libnss, the hash never updates after the first HASH_End, so
the md5 of only the first part of the body is logged, rather than
the md5 of all the parts.
Jason Ish [Thu, 10 Dec 2020 15:48:06 +0000 (09:48 -0600)]
github-ci: use a unique id for the commit check cargo cache
All builds have been using the same cache id for ~/.cargo which
could lead us to conflict situations which is what I think we are
seeing with the commit-check job.
Base64Encode function requires the maximum length of the output string
as its last parameter. Use the macro BASE64_BUFFER_SIZE to calculate it
correctly.
The size of encoded_data array and the maximum output length parameter
to Base64Encode function were incorrect leading to buffer overflow for
certain cases. The algorithm requires at least 5 bytes of space to even
convert a string of length 1.
Use BASE64_BUFFER_SIZE macro to correctly calculate this output length.
Set size of encoded_data array to the calculated output length.
Maximum length of a base64 encoded string can be 33% over the actual
length of the input string. The formula to best cover all the edge cases
is mathematically
(4 * (input_length + 2) / 3) + 1
Add a macro to calculate this for a given input length.
Philippe Antoine [Sat, 31 Oct 2020 16:12:19 +0000 (17:12 +0100)]
ssl: improves keyword ssl_version parsing
Removes the use of PCRE for performance
Forbids empty negations after a valid pattern
Forbids mixing negative and positive forms as it is irrelevant
Forbids useless repetition of a version
Philippe Antoine [Wed, 14 Oct 2020 19:25:40 +0000 (21:25 +0200)]
detect: null sanity checks for pkthdr
Even when the rules are only applied on traffic with the protocol
the structure for the protocol header can be set to NULL if there
was an error parsing the header
Jason Ish [Mon, 30 Nov 2020 21:11:57 +0000 (15:11 -0600)]
rust: handle windows naming change from .lib to .a
Prior to Rust 1.44, Cargo would name static libs with the .lib
extension. 1.44 changes this extension to .a when running under
a GNU environment on Windows like msys to make it more similar
to other unix environments.
Now assume static library name to be the same on Windows and
unix, but rename the .lib if found to still support older
versions of Rust on Windows.
Victor Julien [Mon, 30 Nov 2020 06:44:54 +0000 (07:44 +0100)]
detect: fix inspection order with stateful rules
When stateful detection rules, for which detection has already started
for a previous packet, are added to the candidates array, the array
is sorted to mantain the correct inspection order. However, due to a
trivial error in the sort helper the array was sorted in descending
instead of ascending order.
Philippe Antoine [Thu, 19 Nov 2020 14:50:54 +0000 (15:50 +0100)]
rust: fix warnings found by nightly compiler
warning: getting the inner pointer of a temporary `CString`
this `CString` is deallocated at the end of the statement,
bind it to a variable to extend its lifetime
Jason Ish [Mon, 23 Nov 2020 18:11:42 +0000 (12:11 -0600)]
dnp3: set byte order when logging dnp3 src and dst
DNP3 uses little endian on the wire, for the most part this
is handled as the messages are deserialize. However, the link
header is a cast over raw data, so swap these bytes as they
are being logged.
Jason Ish [Mon, 16 Nov 2020 17:36:39 +0000 (11:36 -0600)]
rust/log: expand macros after checking log level
Expand macros in the do_log macro after checking the log level
instead of each log macro (ie: SCLogDebug) expanding the macros
then passing off to do_log to have the log level check.
Will eliminate any expense of expanding macros if this log level
does not permit the given message to be logged.
projects / thirdparty / suricata.git / log
