From 875895a3ec080b57fda0e4722d2a785b6771bb22 Mon Sep 17 00:00:00 2001
From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Sat, 5 Feb 2022 14:28:42 +0530
Subject: [PATCH] nfs: add test for memleak w file_data

---
 tests/nfs-file-data-4894/README     |  14 ++++++++++++++
 tests/nfs-file-data-4894/input.pcap | Bin 0 -> 24888 bytes
 tests/nfs-file-data-4894/test.rules |   1 +
 tests/nfs-file-data-4894/test.yaml  |  15 +++++++++++++++
 4 files changed, 30 insertions(+)
 create mode 100644 tests/nfs-file-data-4894/README
 create mode 100644 tests/nfs-file-data-4894/input.pcap
 create mode 100644 tests/nfs-file-data-4894/test.rules
 create mode 100644 tests/nfs-file-data-4894/test.yaml

diff --git a/tests/nfs-file-data-4894/README b/tests/nfs-file-data-4894/README
new file mode 100644
index 000000000..4f8cc352e
--- /dev/null
+++ b/tests/nfs-file-data-4894/README
@@ -0,0 +1,14 @@
+Description
+===========
+A test to demonstrate https://redmine.openinfosecfoundation.org/issues/4894 and
+https://redmine.openinfosecfoundation.org/issues/4895.
+
+Rule
+====
+
+Faulty rule provided by Jeff Lucovsky.
+
+PCAP
+====
+
+Pcap from https://wiki.wireshark.org/SampleCaptures#NFS_Protocol_Family
diff --git a/tests/nfs-file-data-4894/input.pcap b/tests/nfs-file-data-4894/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..9a94efd9ea66390e4e7174cc37eeeff2ecf057b2
GIT binary patch
literal 24888
zc-rk;2~bo=8tw;(TtRTq^)BLiuZtJzXgu(Uc;C08csxagpdg6H>R{rLM6<+TVr^Mj
zT#t2)8x6@O8_PAUu@XxYb=9@hiV<<LW>um|G~TfN{?{{f_jJD*bmk3a^Qzh&8R-7M
z@9Y2X`)w)w^fU@U3PO=l2;omCI05I1H8Hy>3VOZ>f1V4eXye@>r|`eUbq|D~=MkE$
zc0(v3`sBV>>(&myX;#EVl#cp$jI{O{HV5esE_ZbS&I3teA7%A+$9GvX=R1E))jSar
z)T!4GH4nD8)@mMgUaM8B9i`*Ct<xHjnib^w)NI$GOI-VoaqZj3wQJixE<Ub(yrZVn
z6Zrd)ka&!J)$V}tUrvn0L3L2u?DwsGvL{d&w+rzhriR{-cr5YuHh|@Z14~eyh+-7`
z=y#+B#h}EuA@MfnsXf5vmmD?+9K<#+`}mHvuh3?Nq<CC%IL<>CsTmn*nKM#UN-3PG
zQPu>Izm290i)oXRo~E{$Jtre|&Ww~cYR>%hjD@<j`)=azGa&K!XWBah{*Nl~2OLDh
z*XI&zMOtc4EQ*R+g^jp^!nFSuYAvND^O+#iEhs?-?YJlK^^sHKOIkbLGQ`^Fa!U`}
z@m6^|hMHyV_&LCSlxoM9ko8C&sab?Qnr+9{xOR@3s)a@wwBrQ8c+82hBt$`Nr-oVk
zyi%9KxYe*7>ov&QG4_=5==@>_mJlVP1jT-HlGGq>$HDb%_~R}}yv>`{URsHkEQig3
zW!UDmi`GnO82**OW^c7)w=IjZ{11?LF4oyc0T&q+Tm+V(oC&jt<+3)7t?5-ttU}c9
zB@2HWtkkW-7DdGLc@$tx%(~jPxFeOj<+wL+ypZE~A-42_fMbif9QVq@pN~P}IWDq~
z29CQk9Pd8;6|r2#vEmD!5z;8Ok+SH|L1;y}{!n$*r_jlC=>xiC3Uv8epi50Z=yDPg
zugf9(SkR?2qs!j-?}+6l>w-`ZoBmsMv)k(V0P=&tB9d=OqH_<l=?mIqaM~=u2rmk>
ziSdIrA41}_*=ZjK+Kgnh$v@kYSZ=a5D>R=d=jzq_>*_(p+8;yW`QN7Y1O8JO{_|?j
z$0&*g{0ExFzxMaj94$ykFc1>2LpQq$I_zb1XptC15Gdllfhk$WO(JkJo8u-Omwf3d
z;bs<avxnm*kRb4cn-WMoH>cJ9z)dHHo1&OxTylwkn-H_PsVGy~MwO{h$#n!({Wo}Q
zt#pONajCSn&(RRSv7hErsq<PZg4oF4Ijgr`$Nxl%#@7ht^47{9XI$8NU9-Oayl{oj
z>DVHO=U$3MP#2<eok?lT9{_D9jg9%MLot(=%^Qolsz6yT8;i~bf11ROMPJ`TEH`Ka
z-qn?|)G?xCIWAHM0>}Lsj(0bkhb^@WI1Vt2V^PG>>TFcD!O0ATZXYCGhu!vhphH(i
zhfQrP1f7vDI=x-sCr_diAkfNd5V*xg=cxK9WYEV90-a{CeN3%K7|Az&?qdR`r8%?!
z1hPIR9kkfN_A&j+2?95Lj3GCJft%?ZHxF^i|9MKdnGf7-=eQ{&2%dzSA;8TvZfr6K
zmwct_j7^qA;s4fy#P_EW_65+No@ThYTb4)=c(_*OlfG2w%f9U|HKwFm4+X80IX}3M
znfkWs_yHi0`9TKw!B)->9ufp@`~XV+8WPXV33V87(}Ce;f7c7R<o^n|iS)xb^f7o;
z;vn%p6Kl^Bj6oyHP7$>3`n_bn?Rm3JH;g}KbL9T0Q)h2Wtbrd5hqf|>^CN8~@v6UL
z=5%Lk*APf!=5o;gb2erUyG0Oqy1uWi&9tgS%na8vn@p1=ZBEhpgI{3{794u^-bx$H
zF%sX-^`q7!K<gw{>n@EkQ`ah`b$XiWWvv6Jr@laGEsdEgAZEVF#msvIft#3V$jwOL
zW-`moj@!88>wfkFPr0!HHyb%_?h*uUxH+sXUY>!(b8}dQ-3Ci%hMNyQiNYn93b?7^
zqjn?m&`R>Bp;T%@;^Rn=eYGHt+$^0$P#X0kju;W}<S`<<X(RPPF5g!O`Vp_h4_udx
z&QbLn2?jm_J0g~eoR6%)41MQk9|^)5XHp1cKC%{kWIg92KM@3Oe8iBOF~H3Pj+^DU
z<Qq>3H?IOWuW;PlCI~#?Mm8RW9UDt)c0Ag<9xnN&fSWM0xgl$!<$^U)#?zhSk&xPW
z)TA_q#K(~s`)d$KnDu1^U3#6Mt<0Kesbn69k#8v%j7bzX^SDy*^|B2LpL=&72FgTq
zjzYR88~6_F8d=7%zB6DdX6$=^k3r*{nrjH8W6%wt`TOh`^iU^);7QMzcwG|{w0;*7
zuXTYsUeJfETcl#9eh_FKWTw`X^?!oI$H;v98xSK~F*@50{+?Lx<NZxn4JnId`w9~T
zWB#>^w7tw9{eH$pw_LWbkPlq9WA_yf77)vQc*aHArVl{kIo_*I6znT(&a`4nZwWY#
zGO<l_PY@l;#zNv_S%3RRh-C|z{wuyHkD&2Y8*duh<`X31p56r^$RH}a_SA*idA@+S
zI0|mXcS(*OoIDLGzJv8rSZyLt3-0e=2I1Hyq5iIv8bQ!F6%YEnNzi6SaqBLnnC075
zX8qE*&wJB#oP+LOzd#UFskLf6Z_4#$8+D`gWYBsfH#fM3nfj^9tSy9S2TP?|zXe*q
z%WD139fH7HYi!=0Kl?~)ID#wdZ<7S`z_qJxVy5m0w65l(J?2v3KE7`G4oG}|yUD%@
z`rBt2jbGZ;fLLx6_n&A!5_@=zO)wv!W?O}M2EH{F_#VdkmSsG)`mVp{4l`K<vUzs_
z@SerZyRQ=j#`A8yWZAl1GH}z1UAK#_gG;_A;3m{;Zpgg5)M(yafl_(~X*<Lw8+!)n
zhxr6$W#-#gV07lS`PbGfn)Ns?t>kllea~QS7WgEw3)huP=P2Y{fq^eggZ46n^`(X-
zn92L*`I1<L6lYri1TtUR3BHuZ`O;N_z>P0K$+EM3(}9}??AgBh+AiY*^Un6kxp}O!
zeSlc%SAPM&TE_ZSgHnRH5`MK~w00)ldt<yEqc!UrZ>X#AIqz2jpYw_@<GK)?leQxp
z6U-2d_1C_*6f^nIyg9h53Y6utIruK{r~2$1eAvgtaxb6llj}-Z`WYmi<G-sj1!r%!
z^&E#SeI($xx>+1kzZ*=-3Qn1pnwlO)d@vO4#Xma&iRXX6{jcDI-!lB~96y_&^5{&T
zz&~XA1RIaHUG#DKfCHU1aqebkbkUK?)&W&PU$gGT=@?m=dFy~ey&@><W$S=@z%L@%
zb-?2riS?fB6?&6<+G1G@f>ZC7;am*L!4{YMJqGEP%VN-8;JOwYgO0yPEU#<~dTgF`
zOPd!NwCUNv@gQz(d(@PM5y-@~ZQ(4NvR>Av-vgc_*fyOrlvr>2{x@Z@tWBo?-$S{z
z?J3w|#l*F37rrUWWo^0;xVEruI%g`e++CaY8qbuajvHMp$2(QH;bG~;aGc*c0b3d%
z;5gXCHcg%cBtXI6OZyx2qqo?5X<fb`D16kmvzz|<(|$<Mw!=v|;R{pL*y*ve=A^1&
zGz!PfM^=kND%`ZNG-0&Z+w2{TBCv{#aiU3C(fSyN#^)Fn3_W2m-uV!8y2y@q9@q&&
zcjKL4LEmW9=SEkiFVMBra|cp(ypvUI&^N&C3`-*0H>|pdkp-F8H;Cttl=ZT{VL!wx
zh3y+!EG5?aU{6Rs-{LHm^$n@O_dsqP_A0ixnu+(RT==Fem-P+*0IoyWzM;iBV!4<1
zJ>AS}bxURYo@u~wM|R&cw-8$zY~H@7uuY5iJpqjp0Ey@Qmi++4o<B0Y7r$JCpz&E7
zZ*nUWiMXfYmjk72-*cjT-xH!Wy+Xw9QHE~5X|Nvn0_dB-tp{qoW_5wS5q?<@)Dg(;
z#QhUAwX=8P7B3|TJh~eo(8DWwH(eiUqjNV}z>P9XPi~*12SySi(Bc`t>~k1v@tL4+
z-!$S5LEw=V^m?{8_xP{|E9o4C9zq6MzzsG_4{q=N97YmaW%lj?fpkCjC}^>S-Os(b
zlOXt6@7=p<ea+~e8QjRTbmz1_i<t_mI$B>dx>NWCXuX)z`p*QxFIrb<4L9;E-8ij}
zVWz^(>+d|#S{h@&1g+1qF}66BAn+*0(wuoyi)IHp+34Jj7MY;MbKIGke`6#ORp!i$
zvELmBEwWj^`|T!zz>jBUr0WvC(>koC(cP<spmkSH>(iL2XR3_WfIzDC3D7!=)A}uf
z;1{hcw1(TdmM)yuM=(>7evYx6*3uYz60|<W#@I3E2?CE|EX|oWwP-%}OD0EQUD_IG
zkquf{IW4sH^BPs=&JrMy`rT>JVgc)SpRXYZJRRHk<erV}T$`V?UL?4~nYSYeGZpoe
zXnh8>PUo~<O%VJ)YAsv)%n{5_*RDE)nTq!N8C2bJ*%{Qcpz$U43~K&)V!6-Gpf<lT
zBiHZ@s<Ce^7OaEj)za2xYWn*ODvLnsTjzlHRMxked`}Sg@f`}T;}`4$KK8BT1Ou&?
zfY$L`936p~viN!YLd8))ARE720Id(R<Cmko2m+7BFEnS~)S|_j`%I3))(kh$VyWOg
zH~M@%rpm0%=m=!zRZC#6rvrCh^#nm+d|owtpmrWk_RjHT@ILM(&i8R&*4{a8{n0vj
z&|-?40%ZK|e9Z#acaG~d%icMD8{Rn{O}%scGP0@)skw6R&JSOpoeYw_hkiL=?CX3F
u{YmXT^!xW%2WP%aVRYg^zJ3qAZmsP7<#&OXX4HG=PomhcQN&soUj7Hm`mwbD

literal 0
Hc-jL100001

diff --git a/tests/nfs-file-data-4894/test.rules b/tests/nfs-file-data-4894/test.rules
new file mode 100644
index 000000000..0521b3e3e
--- /dev/null
+++ b/tests/nfs-file-data-4894/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"NFS support";file.data;content:" ";nfs_procedure: < 14900000;sid:2;)
diff --git a/tests/nfs-file-data-4894/test.yaml b/tests/nfs-file-data-4894/test.yaml
new file mode 100644
index 000000000..d7095e56c
--- /dev/null
+++ b/tests/nfs-file-data-4894/test.yaml
@@ -0,0 +1,15 @@
+requires:
+    lt-version: 7
+
+exit-code: 0
+
+command: |
+  ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/etc/classification.config"    \
+      --set reference-config-file="${SRCDIR}/etc/reference.config" -l ${OUTPUT_DIR}         \
+      --set threshold-file="${TEST_DIR}/threshold.config"                                   \
+      -c "${SRCDIR}/suricata.yaml" -r ${TEST_DIR}/input.pcap -S ${TEST_DIR}/test.rules 
+
+checks:
+    - shell:
+        args: grep "Can't use file_data with NFS keywords" stderr | wc -l | xargs
+        expect: 1
-- 
2.47.2