From 03d049dadce71b5e751dddd3bfddd3a2ccf7a21d Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Thu, 20 Oct 2022 15:14:26 +0200
Subject: [PATCH] decode: enforce layer limit through tunnel layers

Bug: #5686.
---
 src/decode.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/decode.c b/src/decode.c
index a4e7e2a16a..fec718c64c 100644
--- a/src/decode.c
+++ b/src/decode.c
@@ -312,6 +312,11 @@ Packet *PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *pare
 
     SCEnter();
 
+    if (parent->nb_decoded_layers + 1 >= decoder_max_layers) {
+        ENGINE_SET_INVALID_EVENT(parent, GENERIC_TOO_MANY_LAYERS);
+        SCReturnPtr(NULL, "Packet");
+    }
+
     /* get us a packet */
     Packet *p = PacketGetFromQueueOrAlloc();
     if (unlikely(p == NULL)) {
@@ -320,7 +325,10 @@ Packet *PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *pare
 
     /* copy packet and set length, proto */
     PacketCopyData(p, pkt, len);
+    DEBUG_VALIDATE_BUG_ON(parent->recursion_level == 255);
     p->recursion_level = parent->recursion_level + 1;
+    DEBUG_VALIDATE_BUG_ON(parent->nb_decoded_layers >= decoder_max_layers);
+    p->nb_decoded_layers = parent->nb_decoded_layers + 1;
     p->ts.tv_sec = parent->ts.tv_sec;
     p->ts.tv_usec = parent->ts.tv_usec;
     p->datalink = DLT_RAW;
-- 
2.47.2