From e49b5358f9e075dd85365d8451180684f79e5825 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Thu, 13 May 2021 08:06:11 +0200 Subject: [PATCH] detect: set event if max inspect buffers exceeded If a parser exceeds 1024 buffers we stop processing them and set a detect event instead. This is to avoid parser bugs as well as crafted bad traffic leading to resources starvation due to excessive loops. (cherry picked from commit e611adf3dc5b531a9d0ef9b861b4dbe0e150eae6) --- src/detect-engine.c | 43 ++++++++++++++++++++++++++----------------- src/detect.h | 2 ++ 2 files changed, 28 insertions(+), 17 deletions(-) diff --git a/src/detect-engine.c b/src/detect-engine.c index afbe56ca83..84f7826f0e 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -103,25 +103,29 @@ static uint32_t DetectEngineTentantGetIdFromPcap(const void *ctx, const Packet * static DetectEngineAppInspectionEngine *g_app_inspect_engines = NULL; static DetectEnginePktInspectionEngine *g_pkt_inspect_engines = NULL; -SCEnumCharMap det_ctx_event_table[ ] = { +SCEnumCharMap det_ctx_event_table[] = { #ifdef UNITTESTS - { "TEST", DET_CTX_EVENT_TEST }, + { "TEST", DET_CTX_EVENT_TEST }, #endif - { "NO_MEMORY", FILE_DECODER_EVENT_NO_MEM }, - { "INVALID_SWF_LENGTH", FILE_DECODER_EVENT_INVALID_SWF_LENGTH }, - { "INVALID_SWF_VERSION", FILE_DECODER_EVENT_INVALID_SWF_VERSION }, - { "Z_DATA_ERROR", FILE_DECODER_EVENT_Z_DATA_ERROR }, - { "Z_STREAM_ERROR", FILE_DECODER_EVENT_Z_STREAM_ERROR }, - { "Z_BUF_ERROR", FILE_DECODER_EVENT_Z_BUF_ERROR }, - { "Z_UNKNOWN_ERROR", FILE_DECODER_EVENT_Z_UNKNOWN_ERROR }, - { "LZMA_DECODER_ERROR", FILE_DECODER_EVENT_LZMA_DECODER_ERROR }, - { "LZMA_MEMLIMIT_ERROR", FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR }, - { "LZMA_OPTIONS_ERROR", FILE_DECODER_EVENT_LZMA_OPTIONS_ERROR }, - { "LZMA_FORMAT_ERROR", FILE_DECODER_EVENT_LZMA_FORMAT_ERROR }, - { "LZMA_DATA_ERROR", FILE_DECODER_EVENT_LZMA_DATA_ERROR }, - { "LZMA_BUF_ERROR", FILE_DECODER_EVENT_LZMA_BUF_ERROR }, - { "LZMA_UNKNOWN_ERROR", FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR }, - { NULL, -1 }, + { "NO_MEMORY", FILE_DECODER_EVENT_NO_MEM }, + { "INVALID_SWF_LENGTH", FILE_DECODER_EVENT_INVALID_SWF_LENGTH }, + { "INVALID_SWF_VERSION", FILE_DECODER_EVENT_INVALID_SWF_VERSION }, + { "Z_DATA_ERROR", FILE_DECODER_EVENT_Z_DATA_ERROR }, + { "Z_STREAM_ERROR", FILE_DECODER_EVENT_Z_STREAM_ERROR }, + { "Z_BUF_ERROR", FILE_DECODER_EVENT_Z_BUF_ERROR }, + { "Z_UNKNOWN_ERROR", FILE_DECODER_EVENT_Z_UNKNOWN_ERROR }, + { "LZMA_DECODER_ERROR", FILE_DECODER_EVENT_LZMA_DECODER_ERROR }, + { "LZMA_MEMLIMIT_ERROR", FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR }, + { "LZMA_OPTIONS_ERROR", FILE_DECODER_EVENT_LZMA_OPTIONS_ERROR }, + { "LZMA_FORMAT_ERROR", FILE_DECODER_EVENT_LZMA_FORMAT_ERROR }, + { "LZMA_DATA_ERROR", FILE_DECODER_EVENT_LZMA_DATA_ERROR }, + { "LZMA_BUF_ERROR", FILE_DECODER_EVENT_LZMA_BUF_ERROR }, + { "LZMA_UNKNOWN_ERROR", FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR }, + { + "TOO_MANY_BUFFERS", + DETECT_EVENT_TOO_MANY_BUFFERS, + }, + { NULL, -1 }, }; /** \brief register inspect engine at start up time @@ -1091,6 +1095,11 @@ static InspectionBufferMultipleForList *InspectionBufferGetMulti( InspectionBuffer *InspectionBufferMultipleForListGet( DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id) { + if (unlikely(local_id >= 1024)) { + DetectEngineSetEvent(det_ctx, DETECT_EVENT_TOO_MANY_BUFFERS); + return NULL; + } + InspectionBufferMultipleForList *fb = InspectionBufferGetMulti(det_ctx, list_id); if (local_id >= fb->size) { diff --git a/src/detect.h b/src/detect.h index 8095816946..97f089b82d 100644 --- a/src/detect.h +++ b/src/detect.h @@ -1240,6 +1240,8 @@ enum { FILE_DECODER_EVENT_LZMA_DATA_ERROR, FILE_DECODER_EVENT_LZMA_BUF_ERROR, FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR, + + DETECT_EVENT_TOO_MANY_BUFFERS, }; #define SIG_GROUP_HEAD_HAVERAWSTREAM BIT_U32(0) -- 2.47.2