In case LF was found for a long line way outside of the limit, we should
not need to update the delimiter len and current line len because the
line is capped at 4k and the LF was not within these 4k bytes.
So far, we store one variable in state to hold whether we want to
discard a long line till LF irrespective of direction. This means that a
long command to the client followed by a regular command w LF can be
considered as one long line which is incorrect.
Problem:
If we receive a long line w/o LF, we cap it to 4k bytes and wait until a
line with LF comes in order to consider the previous line complete. Any
data post the 4k bytes is discarded. Currently, if a line with LF comes
in after a long line, we reset all the parameters used for processing it
like the line.len and line.delim_len but we still make the call to
SMTPProcessRequest fn without even the need to process anything. Since
such a line (with len and delim_len set to 0) should not reach mime
decoder, a debug assertion triggers there in this case.
Fix:
Make sure to return early as the line has to be skipped and not
processed at all.
Lukas Sismis [Thu, 30 Mar 2023 08:59:40 +0000 (10:59 +0200)]
bpf: refactor the BPF code and postpone querying of the engine mode
BPF codebase queried engine mode earlier than it was determined from
the configuration file/command line. As a result it used the default (IDS)
mode where it could've been configured later on to the IPS mode.
This could lead into an undefined behavior as some Suricata modules behave
according to the engine mode.
PF-Ring, Netmap and AF-Packet all shared almost identical code for
determining the engine mode. It was put into one common function.
Omitted the usage of SCStrdup function in PF-Ring module as it is
uppercased during thread initialization phase.
Jason Ish [Mon, 1 May 2023 16:50:40 +0000 (10:50 -0600)]
detect: fix setting of flag for rule reload
As part of 6d8b50b748844e9de6010cde5a6b139148c0e937, the settings of
THV_CAPTURE_INJECT_PKT ended up in a location unreachable by capture
methods that did not have PktAcqBreakLoop.
Instead, always call TmThreadsCaptureBreakLoop which handles the logic
for how the read loop should be broken.
This fixes the case where read threads won't "break" for rule reloads
until packets are seen.
Victor Julien [Fri, 21 Apr 2023 08:21:17 +0000 (10:21 +0200)]
stream: fix minor scan-build warning
stream-tcp.c:134:14: warning: Value stored to 'presize' during its initialization is never read [deadcode.DeadStores]
uint64_t presize = SC_ATOMIC_GET(st_memuse);
^~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
Victor Julien [Fri, 21 Apr 2023 12:12:36 +0000 (14:12 +0200)]
mime: address scan-build warnings
util-decode-mime.c:189:31: warning: Use of memory after it is freed [unix.Malloc]
lastSibling->next = entity->child;
~~~~~~~~~~~~~~~~~ ^
util-decode-mime.c:827:24: warning: Potential leak of memory pointed to by 'val' [unix.Malloc]
state->hname = NULL;
^~~~
/usr/lib/llvm-16/lib/clang/16/include/stddef.h:89:24: note: expanded from macro 'NULL'
# define NULL ((void*)0)
^
2 warnings generated.
Improve error handling and add assert to avoid these warnings.
Victor Julien [Fri, 21 Apr 2023 12:57:22 +0000 (14:57 +0200)]
radix: add debug validation to assist scan-build
util-radix-tree.c:595:34: warning: Access to field 'stream' results in a dereference of a null pointer (loaded from field 'prefix') [core.NullDereference]
if ((temp = (stream[i] ^ bottom_node->prefix->stream[i])) == 0) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~
util-radix-tree.c:717:30: warning: Access to field 'stream' results in a dereference of a null pointer (loaded from field 'prefix') [core.NullDereference]
if (SC_RADIX_BITTEST(bottom_node->prefix->stream[differ_bit >> 3],
^~~~~~~~~~~~~~~~~~~~~~~~~~~
./util-radix-tree.h:27:34: note: expanded from macro 'SC_RADIX_BITTEST'
#define SC_RADIX_BITTEST(x, y) ((x) & (y))
^
2 warnings generated.
Victor Julien [Fri, 21 Apr 2023 09:33:43 +0000 (11:33 +0200)]
detect: fix scan-build warnings
detect-engine-address.c:1140:17: warning: Use of memory after it is freed [unix.Malloc]
r = DetectAddressCmp(ag, ag2);
^~~~~~~~~~~~~~~~~~~~~~~~~
detect-engine-address.c:1169:17: warning: Use of memory after it is freed [unix.Malloc]
r = DetectAddressCmp(ag, ag2);
^~~~~~~~~~~~~~~~~~~~~~~~~
2 warnings generated.
detect-engine-port.c:1161:9: warning: Use of memory after it is freed [unix.Malloc]
DetectPortPrint(ag2);
^~~~~~~~~~~~~~~~~~~~
1 warning generated.
Victor Julien [Fri, 21 Apr 2023 09:16:13 +0000 (11:16 +0200)]
mpm/ac-bs: work around scan-build warnings
util-mpm-ac-bs.c:482:32: warning: Result of 'malloc' is converted to a pointer of type 'uint16_t[256]', which is incompatible with sizeof operand type 'uint16_t' [unix.MallocSizeof]
ctx->state_table_u16 = SCMalloc(ctx->state_count *
^~~~~~~~
./util-mem.h:35:18: note: expanded from macro 'SCMalloc'
#define SCMalloc malloc
^~~~~~
util-mpm-ac-bs.c:524:32: warning: Result of 'malloc' is converted to a pointer of type 'uint32_t[256]', which is incompatible with sizeof operand type 'uint32_t' [unix.MallocSizeof]
ctx->state_table_u32 = SCMalloc(ctx->state_count *
^~~~~~~~
./util-mem.h:35:18: note: expanded from macro 'SCMalloc'
#define SCMalloc malloc
^~~~~~
2 warnings generated.
Victor Julien [Fri, 21 Apr 2023 09:13:19 +0000 (11:13 +0200)]
mpm/ac: work around scan-build warnings
util-mpm-ac.c:531:32: warning: Result of 'malloc' is converted to a pointer of type 'uint16_t[256]', which is incompatible with sizeof operand type 'uint16_t' [unix.MallocSizeof]
ctx->state_table_u16 = SCMalloc(ctx->state_count *
^~~~~~~~
./util-mem.h:35:18: note: expanded from macro 'SCMalloc'
#define SCMalloc malloc
^~~~~~
util-mpm-ac.c:575:32: warning: Result of 'malloc' is converted to a pointer of type 'uint32_t[256]', which is incompatible with sizeof operand type 'uint32_t' [unix.MallocSizeof]
ctx->state_table_u32 = SCMalloc(ctx->state_count *
^~~~~~~~
./util-mem.h:35:18: note: expanded from macro 'SCMalloc'
#define SCMalloc malloc
^~~~~~
2 warnings generated.
Victor Julien [Fri, 21 Apr 2023 08:25:30 +0000 (10:25 +0200)]
suricata: work around scan-build warnings
suricata.c:691:17: warning: Value stored to 'bits' during its initialization is never read [deadcode.DeadStores]
const char *bits = "<unknown>-bits";
^~~~ ~~~~~~~~~~~~~~~~
suricata.c:692:17: warning: Value stored to 'endian' during its initialization is never read [deadcode.DeadStores]
const char *endian = "<unknown>-endian";
^~~~~~ ~~~~~~~~~~~~~~~~~~
2 warnings generated.
Jason Ish [Thu, 29 Sep 2022 17:32:23 +0000 (11:32 -0600)]
github-ci: use bundle.sh script for libhtp, suricata-update
Update the GitHub CI workflow to use the bundle.sh script to pull in
Suricata-Update and libhtp. This means one less place where defaults
are hardcoded and can get out of sync.
This also simplifies the variable names that can be embedded in a pull
request message to use the same variable names that bundle.sh
expects. Of note, this removes the _PR variant, instead a branch name
of "pr/N" can be used to specify a PR.
Jason Ish [Fri, 23 Sep 2022 04:29:28 +0000 (22:29 -0600)]
bundle.sh: allow a PR # to be specified
Allow pull requests (and merge requests) to be specified by using a
branch name like "pr/111" or "mr/222". This allows CI to use this
script as well, instead of multiple variations of the same thing.
Additonally allow the destination directory to be overridden with the
DESTDIR environment variable.
Justin Azoff [Sat, 18 Feb 2023 02:11:46 +0000 (21:11 -0500)]
detect/iponly: Reduce the size of the SigNumArray bitsets
Instead of tracking ip only rules by the internal signum, track them by
a separate counter that starts at zero. This results in dense
SigNumArrays instead of sparse ones and a much smaller max_idx.
Before:
If LF character was found, so far, we won't enforce the line limit on
the line. We only enforced limits in case of LF character missing in a
long line.
After this patch:
Line limit is enforced on the line if it is bigger than 4096 Bytes
irrespective of whether LF was found or not.
Victor Julien [Tue, 11 Apr 2023 09:40:35 +0000 (11:40 +0200)]
pcap: improve pcap_breakloop support
When pcap_breakloop has been issued on a handle, the current pcap_dispatch
call may return -2 (PCAP_ERROR_BREAK), but it can also return the number
of processed packets if lower than the desired number. So add this condition
as a check.
Philippe Antoine [Thu, 26 Jan 2023 08:28:46 +0000 (09:28 +0100)]
http: complete multipart until request.body-limit
In the case we are truncating a multipart file because of reaching
request.body-limit, we used to not consume the whole buffer, but
keep expected_boundary_len bytes in case a new boundary begins
in these bytes.
Even if we cannot check the complete boundary, we can still check
the first bytes, as will be done in the rust version.
Old behavior:
With RFC4648, the decoded bytes were reset to 0 in case an unusual
character was encountered in the encoded string. This worked out fine
for small test cases where there weren't many bytes to be decoded.
Problem:
If a big encoded string had a character outside of the base alphabet,
the processing would stop and the number of decoded bytes were set to 0.
However, even though the processing should stop at the invalid
character, the number of decoded bytes should correctly store the bytes
decoded up until the point an invalid characted was encountered.
New behavor:
For any base64 encoded string given to the base64 decoder in RFC4648
mode, we make sure that the number of decoded bytes correctly reflect
the number of bytes processed up until the string was valid. This makes
sure any further calculations/use of the decoded data is done correctly.
projects / thirdparty / suricata.git / log
