if ( Analyzer::get_switcher()->get_context()->rpl.empty() )
return false;
- auto rep = Analyzer::get_switcher()->get_context()->rpl.back();
+ const auto& rep = Analyzer::get_switcher()->get_context()->rpl.back();
s = rep.data;
off = rep.offset;
if ( child->option_type != RULE_OPTION_TYPE_LEAF_NODE )
continue;
- OptTreeNode* cotn = (OptTreeNode*)child->option_data;
+ const OptTreeNode* cotn = (OptTreeNode*)child->option_data;
const SigInfo& csi = cotn->sigInfo;
const SigInfo& osi = otn->sigInfo;
node = pox->rule_hash->find_next())
{
unsigned sid, gid;
- int* prindex = (int*)node->data;
+ const int* prindex = (int*)node->data;
/* be safe - no rule index, ignore it */
if (prindex == nullptr)
static void fpCreatePortTableRuleGroups(SnortConfig* sc, PortTable* p, PortObject2* poaa)
{
int cnt = 1;
- FastPatternConfig* fp = sc->fast_pattern_config;
+ const FastPatternConfig* fp = sc->fast_pattern_config;
if ( fp->get_debug_print_rule_group_build_details() )
LogMessage("%d Port Groups in Port Table\n",p->pt_mpo_hash->get_count());
*/
static void fpCreateServiceRuleGroups(SnortConfig* sc)
{
- FastPatternConfig* fp = sc->fast_pattern_config;
+ const FastPatternConfig* fp = sc->fast_pattern_config;
sc->srmmTable = ServiceMapNew();
#ifdef RF_DBG
printf(
"THRESHOLD: gid=%u, sid=%u, tracking=%d, count=%u, seconds=%u \n",
- thdx->gid, thdx->sid, thdx->tracking, thdx->count, thdx->seconds);
+ thdx->gid, thdx->sid, thdx->tracking, unsigned(thdx->count), thdx->seconds);
#endif
/* Add the object to the table - */
struct SnortConfig;
}
struct RateFilterConfig;
-struct tSFRFConfigNode;
+class tSFRFConfigNode;
struct OptTreeNode;
RateFilterConfig* RateFilter_ConfigNew();
nrows = nbytes / (SFRF_BYTES);
/* Create global hash table for all of the IP Nodes */
+ std::lock_guard<std::mutex> lock(sfrf_hash_mutex);
rf_hash = new XHash(nrows, sizeof(tSFRFTrackingNodeKey), sizeof(tSFRFTrackingNode), nbytes);
}
void SFRF_Delete()
{
+ std::lock_guard<std::mutex> lock(sfrf_hash_mutex);
+
if ( !rf_hash )
return;
- std::lock_guard<std::mutex> lock(sfrf_hash_mutex);
delete rf_hash;
rf_hash = nullptr;
}
int SFRF_Alloc(unsigned int memcap)
{
- if ( rf_hash == nullptr )
+ sfrf_hash_mutex.lock();
+ const XHash* current_rf_hash = rf_hash;
+ sfrf_hash_mutex.unlock();
+
+ if ( current_rf_hash == nullptr )
{
SFRF_New(memcap);
+ sfrf_hash_mutex.lock();
if ( rf_hash == nullptr )
+ {
+ sfrf_hash_mutex.unlock();
return -1;
+ }
+ sfrf_hash_mutex.unlock();
}
return 0;
}
{
printf(".........SFRF_ID =%d\n",cfgNode->tid);
printf(".........tracking =%d\n",cfgNode->tracking);
- printf(".........count =%u\n",cfgNode->count);
- printf(".........seconds =%u\n",cfgNode->seconds);
+ printf(".........count =%u\n",cfgNode->count.load());
+ printf(".........seconds =%lu\n",cfgNode->seconds);
}
}
}
{
if ( cfgNode->seconds )
{
- unsigned dt = (unsigned)(curTime - dynNode->tstart);
+ time_t dt = curTime - dynNode->tstart;
if ( dt >= cfgNode->seconds )
{ // observation period is over, start a new one
dynNode->tstart = curTime;
- dt = (unsigned)(curTime - dynNode->tlast);
+ dt = curTime - dynNode->tlast;
if ( dt > cfgNode->seconds )
dynNode->overRate = 0;
else
if ( dynNode->filterState == FS_ON )
{
if ( (cfgNode->timeout != 0 )
- && ((unsigned)(curTime - dynNode->revertTime) >= cfgNode->timeout))
+ && (curTime - dynNode->revertTime) >= cfgNode->timeout)
{
if ( dynNode->count > cfgNode->count || dynNode->overRate )
{
#ifndef SFRF_H
#define SFRF_H
+#include <atomic>
#include <ctime>
#include <mutex>
FS_NEW = 0, FS_OFF, FS_ON, FS_MAX
} FilterState;
-struct tSFRFConfigNode
+class tSFRFConfigNode
{
+public:
int tid = 0;
unsigned gid = 0;
unsigned sid = 0;
PolicyId policyId = 0;
SFRF_TRACK tracking = SFRF_TRACK_BY_NONE;
- unsigned count = 0;
- unsigned seconds = 0;
+ time_t seconds = 0;
+
+ // The count variable can be updated by multiple threads simultaneously, so it must be atomic
+ std::atomic<unsigned> count{0};
// Action that replaces original rule action on reaching threshold
snort::IpsAction::Type newAction = 0;
unsigned timeout = 0;
sfip_var_t* applyTo = nullptr;
+ tSFRFConfigNode() = default;
+
+ tSFRFConfigNode(const tSFRFConfigNode& other)
+ : tid(other.tid)
+ , gid(other.gid)
+ , sid(other.sid)
+ , policyId(other.policyId)
+ , tracking(other.tracking)
+ , seconds(other.seconds)
+ , count(other.count.load())
+ , newAction(other.newAction)
+ , timeout(other.timeout)
+ , applyTo(other.applyTo)
+ { }
+
+ tSFRFConfigNode(tSFRFConfigNode&& other) noexcept
+ : tid(other.tid)
+ , gid(other.gid)
+ , sid(other.sid)
+ , policyId(other.policyId)
+ , tracking(other.tracking)
+ , seconds(other.seconds)
+ , count(other.count.load())
+ , newAction(other.newAction)
+ , timeout(other.timeout)
+ , applyTo(other.applyTo)
+ { }
+
+ ~tSFRFConfigNode() = default;
+
+ tSFRFConfigNode& operator=(const tSFRFConfigNode& other)
+ {
+ if (this != &other)
+ {
+ tid = other.tid;
+ gid = other.gid;
+ sid = other.sid;
+ policyId = other.policyId;
+ tracking = other.tracking;
+ seconds = other.seconds;
+ count.store(other.count.load());
+ newAction = other.newAction;
+ timeout = other.timeout;
+ applyTo = other.applyTo;
+ }
+ return *this;
+ }
+
void init()
{
tid = 0;
THD_IP_NODE* sfthd_ip_node,
time_t curtime)
{
- unsigned dt;
+ uint64_t dt;
if ( sfthd_node->type == THD_TYPE_DETECT )
{
- dt = (unsigned)(curtime - sfthd_ip_node->tstart);
+ dt = curtime - sfthd_ip_node->tstart;
if ( dt >= sfthd_node->seconds )
{ /* reset */
sfthd_ip_node->tstart = curtime;
- if ( (unsigned)(curtime - sfthd_ip_node->tlast) > sfthd_node->seconds )
+ if ( static_cast<uint64_t>(curtime - sfthd_ip_node->tlast) > sfthd_node->seconds )
sfthd_ip_node->prev = 0;
else
sfthd_ip_node->prev = sfthd_ip_node->count - 1;
}
if ( sfthd_node->type == THD_TYPE_LIMIT )
{
- dt = (unsigned)(curtime - sfthd_ip_node->tstart);
+ dt = curtime - sfthd_ip_node->tstart;
if ( dt >= sfthd_node->seconds )
{ /* reset */
}
else if ( sfthd_node->type == THD_TYPE_THRESHOLD )
{
- dt = (unsigned)(curtime - sfthd_ip_node->tstart);
+ dt = curtime - sfthd_ip_node->tstart;
if ( dt >= sfthd_node->seconds )
{
sfthd_ip_node->tstart = curtime;
}
else if ( sfthd_node->type == THD_TYPE_BOTH )
{
- dt = (unsigned)(curtime - sfthd_ip_node->tstart);
+ dt = curtime - sfthd_ip_node->tstart;
if ( dt >= sfthd_node->seconds )
{
sfthd_ip_node->tstart = curtime;
else
{
printf(".........count =%d\n",sfthd_node->count);
- printf(".........seconds =%u\n",sfthd_node->seconds);
+ printf(".........seconds =%lu\n",sfthd_node->seconds);
}
}
}
int type = 0;
int priority = 0;
int count = 0;
- unsigned seconds = 0;
+ uint64_t seconds = 0;
sfip_var_t* ip_address = nullptr;
};
}
index = ha->handle_counter;
+
+ // Guard against null index which could cause a shift by a negative amount
+ if (!index)
+ return;
+
handle = (1 << (index - 1));
ha->client_map[index] = this;
ha->handle_counter++;
msg.advance_cursor(sizeof(key->ip_l[3]));
memcpy(msg.cursor, &key->ip_h[3], sizeof(key->ip_h[3]));
msg.advance_cursor(sizeof(key->ip_h[3]));
- memcpy(msg.cursor, ((const uint8_t*) key) + 32, KEY_SIZE_IP4 - 8);
+ memcpy(msg.cursor, (reinterpret_cast<const uint8_t*>(key)) + 32, KEY_SIZE_IP4 - 8);
msg.advance_cursor(KEY_SIZE_IP4 - 8);
return KEY_TYPE_IP4;
key.ip_h[2] = htonl(0xFFFF);
msg.advance_cursor(sizeof(key.ip_h[3]));
/* The remainder of the key */
- memcpy(((uint8_t*) &key) + 32, msg.cursor, KEY_SIZE_IP4 - 8);
+ memcpy((reinterpret_cast<uint8_t*>(&key)) + 32, msg.cursor, KEY_SIZE_IP4 - 8);
msg.advance_cursor(KEY_SIZE_IP4 - 8);
return KEY_SIZE_IP4;
// at the beginning of the content section.
static void write_msg_header(const Flow& flow, HAEvent event, uint16_t content_length, HAMessage& msg)
{
- HAMessageHeader* hdr = (HAMessageHeader*) msg.cursor;
+ HAMessageHeader* hdr = reinterpret_cast<HAMessageHeader*>(msg.cursor);
hdr->event = (uint8_t) event;
hdr->version = HA_MESSAGE_VERSION;
hdr->total_length = content_length;
static uint16_t update_msg_header_length(const HAMessage& msg)
{
- HAMessageHeader* hdr = (HAMessageHeader*) msg.buffer;
+ HAMessageHeader* hdr = reinterpret_cast<HAMessageHeader*>(msg.buffer);
hdr->total_length = msg.cursor_position();
return hdr->total_length;
}
// Preemptively insert the client header. If production fails, roll back the message cursor
// to its original position.
uint8_t* original_cursor = msg.cursor;
- HAClientHeader* header = (HAClientHeader*) original_cursor;
+ HAClientHeader* header = reinterpret_cast<HAClientHeader*>(original_cursor);
header->client = client->index;
msg.advance_cursor(sizeof(HAClientHeader));
if (!client->produce(flow, msg))
break;
}
- HAClientHeader* header = (HAClientHeader*) msg.cursor;
+ HAClientHeader* header = reinterpret_cast<HAClientHeader*>(msg.cursor);
if ((header->client >= ha->handle_counter) || (ha->client_map[header->client] == nullptr))
{
ErrorMessage("Consuming HA Update message - invalid client index\n");
return nullptr;
}
- const HAMessageHeader* hdr = (HAMessageHeader*) msg.cursor;
+ const HAMessageHeader* hdr = reinterpret_cast<HAMessageHeader*>(msg.cursor);
if (hdr->version != HA_MESSAGE_VERSION)
{
SECTION("1 element")
{
const Type data = {1, "one"};
- Elem* el = new Elem(cont, group, data);
+ const Elem* el = new Elem(cont, group, data);
CHECK(el != nullptr);
const Type data1 = {1, "one"};
const Type data2 = {2, "two"};
const Type data3 = {3, "three"};
- Elem* el1 = new Elem(cont, group, data1);
- Elem* el2 = new Elem(cont, group, data2);
- Elem* el3 = new Elem(cont, group, data3);
+ const Elem* el1 = new Elem(cont, group, data1);
+ const Elem* el2 = new Elem(cont, group, data2);
+ const Elem* el3 = new Elem(cont, group, data3);
CHECK(el1 != nullptr);
CHECK(el2 != nullptr);
const Type data3 = {3, "three"};
Elem* group_a = nullptr;
- Elem* el1 = new Elem(cont, group_a, data1);
+ const Elem* el1 = new Elem(cont, group_a, data1);
CHECK(group_a == el1);
- Elem* el2 = new Elem(cont, group_a, data2);
+ const Elem* el2 = new Elem(cont, group_a, data2);
CHECK(group_a == el2);
- Elem* el3 = new Elem(cont, group_a, data3);
+ const Elem* el3 = new Elem(cont, group_a, data3);
CHECK(group_a == el3);
check_container(cont, data1, data2, data3);
Elem* group_b = nullptr;
Elem* group_c = nullptr;
- Elem* el1 = new Elem(cont, group_a, data1);
+ const Elem* el1 = new Elem(cont, group_a, data1);
CHECK(group_a == el1);
- Elem* el2 = new Elem(cont, group_b, data2);
+ const Elem* el2 = new Elem(cont, group_b, data2);
CHECK(group_b == el2);
- Elem* el3 = new Elem(cont, group_c, data3);
+ const Elem* el3 = new Elem(cont, group_c, data3);
CHECK(group_c == el3);
check_container(cont, data1, data2, data3);
const Type data3 = {3, "three"};
Elem* group_a = nullptr;
- Elem* el1 = new Elem(cont, group_a, data1);
+ const Elem* el1 = new Elem(cont, group_a, data1);
CHECK(group_a == el1);
Elem* el2 = new Elem(cont, group_a, data2);
CHECK(group_a == el2);
- Elem* el3 = new Elem(cont, group_a, data3);
+ const Elem* el3 = new Elem(cont, group_a, data3);
CHECK(group_a == el3);
check_container(cont, data1, data2, data3);
Elem* el1 = new Elem(cont, group_a, data1);
CHECK(group_a == el1);
- Elem* el2 = new Elem(cont, group_a, data2);
+ const Elem* el2 = new Elem(cont, group_a, data2);
CHECK(group_a == el2);
- Elem* el3 = new Elem(cont, group_a, data3);
+ const Elem* el3 = new Elem(cont, group_a, data3);
CHECK(group_a == el3);
check_container(cont, data1, data2, data3);
const Type data3 = {3, "three"};
Elem* group_a = nullptr;
- Elem* el1 = new Elem(cont, group_a, data1);
+ const Elem* el1 = new Elem(cont, group_a, data1);
CHECK(group_a == el1);
- Elem* el2 = new Elem(cont, group_a, data2);
+ const Elem* el2 = new Elem(cont, group_a, data2);
CHECK(group_a == el2);
Elem* el3 = new Elem(cont, group_a, data3);
CHECK(group_a == el3);
SECTION("delete group")
{
const Type data = {1, "one"};
- Elem* el = new Elem(cont, group_a, data);
+ const Elem* el = new Elem(cont, group_a, data);
CHECK(el != nullptr);
{
const Type data1 = {1, "one"};
const Type data2 = {2, "two"};
- Elem* el1 = new Elem(cont, group_a, data1);
- Elem* el2 = new Elem(cont, group_b, data2);
+ const Elem* el1 = new Elem(cont, group_a, data1);
+ const Elem* el2 = new Elem(cont, group_b, data2);
CHECK(el1 != nullptr);
CHECK(el2 != nullptr);
{
const Type data1 = {1, "one"};
const Type data2 = {2, "two"};
- Elem* el1 = new Elem(cont, group_a, data1);
- Elem* el2 = new Elem(cont, group_b, data2);
+ const Elem* el1 = new Elem(cont, group_a, data1);
+ const Elem* el2 = new Elem(cont, group_b, data2);
CHECK(el1 != nullptr);
CHECK(el2 != nullptr);
const Type data1 = {1, "one"};
const Type data2 = {2, "two"};
const Type data3 = {3, "three"};
- Elem* el1 = new Elem(cont, group_a, data1);
- Elem* el2 = new Elem(cont, group_b, data2);
- Elem* el3 = new Elem(cont, group_b, data3);
+ const Elem* el1 = new Elem(cont, group_a, data1);
+ const Elem* el2 = new Elem(cont, group_b, data2);
+ const Elem* el3 = new Elem(cont, group_b, data3);
CHECK(el1 != nullptr);
CHECK(el2 != nullptr);
const Type data1 = {1, "one"};
const Type data2 = {2, "two"};
const Type data3 = {3, "three"};
- Elem* el1 = new Elem(cont, group_a, data1);
- Elem* el2 = new Elem(cont, group_b, data2);
- Elem* el3 = new Elem(cont, group_b, data3);
+ const Elem* el1 = new Elem(cont, group_a, data1);
+ const Elem* el2 = new Elem(cont, group_b, data2);
+ const Elem* el3 = new Elem(cont, group_b, data3);
CHECK(el1 != nullptr);
CHECK(el2 != nullptr);
SECTION("delete group")
{
- Elem* el = new Elem(cont, group_a, 1, "one");
+ const Elem* el = new Elem(cont, group_a, 1, "one");
CHECK(el != nullptr);
SECTION("delete element, then delete group")
{
- Elem* el1 = new Elem(cont, group_a, 1, "one");
- Elem* el2 = new Elem(cont, group_b, 2, "two");
+ const Elem* el1 = new Elem(cont, group_a, 1, "one");
+ const Elem* el2 = new Elem(cont, group_b, 2, "two");
CHECK(el1 != nullptr);
CHECK(el2 != nullptr);
SECTION("delete group, then delete element")
{
- Elem* el1 = new Elem(cont, group_a, 1, "one");
- Elem* el2 = new Elem(cont, group_b, 2, "two");
+ const Elem* el1 = new Elem(cont, group_a, 1, "one");
+ const Elem* el2 = new Elem(cont, group_b, 2, "two");
CHECK(el1 != nullptr);
CHECK(el2 != nullptr);
SECTION("delete elements (remain), then delete group")
{
- Elem* el1 = new Elem(cont, group_a, 1, "one");
- Elem* el2 = new Elem(cont, group_b, 2, "two");
- Elem* el3 = new Elem(cont, group_b, 3, "three");
+ const Elem* el1 = new Elem(cont, group_a, 1, "one");
+ const Elem* el2 = new Elem(cont, group_b, 2, "two");
+ const Elem* el3 = new Elem(cont, group_b, 3, "three");
CHECK(el1 != nullptr);
CHECK(el2 != nullptr);
SECTION("delete group, then delete elements (remain)")
{
- Elem* el1 = new Elem(cont, group_a, 1, "one");
- Elem* el2 = new Elem(cont, group_b, 2, "two");
- Elem* el3 = new Elem(cont, group_b, 3, "three");
+ const Elem* el1 = new Elem(cont, group_a, 1, "one");
+ const Elem* el2 = new Elem(cont, group_b, 2, "two");
+ const Elem* el3 = new Elem(cont, group_b, 3, "three");
CHECK(el1 != nullptr);
CHECK(el2 != nullptr);
static int host_cache_delete_host(lua_State* L)
{
- HostCacheModule* mod = (HostCacheModule*) ModuleManager::get_module(HOST_CACHE_NAME);
+ const HostCacheModule* mod = (HostCacheModule*) ModuleManager::get_module(HOST_CACHE_NAME);
if ( mod )
{
const char* ips = luaL_optstring(L, 1, nullptr);
static int host_cache_delete_network_proto(lua_State* L)
{
- HostCacheModule* mod = (HostCacheModule*) ModuleManager::get_module(HOST_CACHE_NAME);
+ const HostCacheModule* mod = (HostCacheModule*) ModuleManager::get_module(HOST_CACHE_NAME);
if ( mod )
{
const char* ips = luaL_optstring(L, 1, nullptr);
static int host_cache_delete_transport_proto(lua_State* L)
{
- HostCacheModule* mod = (HostCacheModule*) ModuleManager::get_module(HOST_CACHE_NAME);
+ const HostCacheModule* mod = (HostCacheModule*) ModuleManager::get_module(HOST_CACHE_NAME);
if ( mod )
{
const char* ips = luaL_optstring(L, 1, nullptr);
static int host_cache_delete_service(lua_State* L)
{
- HostCacheModule* mod = (HostCacheModule*) ModuleManager::get_module(HOST_CACHE_NAME);
+ const HostCacheModule* mod = (HostCacheModule*) ModuleManager::get_module(HOST_CACHE_NAME);
if ( mod )
{
const char* ips = luaL_optstring(L, 1, nullptr);
static int host_cache_delete_client(lua_State* L)
{
- HostCacheModule* mod = (HostCacheModule*) ModuleManager::get_module(HOST_CACHE_NAME);
+ const HostCacheModule* mod = (HostCacheModule*) ModuleManager::get_module(HOST_CACHE_NAME);
if ( mod )
{
const char* ips = luaL_optstring(L, 1, nullptr);
+ to_string(lru_data.size()) + " trackers, memcap: " + to_string(host_cache.get_max_size())
+ " bytes\n";
- PegCount* counts = (PegCount*) host_cache.get_counts();
+ const PegCount* counts = (PegCount*) host_cache.get_counts();
for ( int i = 0; pegs[i].type != CountType::END; i++ )
{
if ( counts[i] )
+ to_string(lru_data.size()) + " trackers, memcap: " + to_string(host_cache.get_max_size())
+ " bytes\n";
- PegCount* counts = (PegCount*) host_cache.get_counts();
+ const PegCount* counts = (PegCount*) host_cache.get_counts();
const PegInfo* pegs = host_cache.get_pegs();
for ( int i = 0; pegs[i].type != CountType::END; i++ )
}
case BM_DIVIDE:
assert(rvalue != 0);
+ if (!rvalue)
+ return NO_MATCH;
value /= rvalue;
break;
static IpsOption* byte_math_ctor(Module* p, IpsInfo&)
{
- ByteMathModule* m = (ByteMathModule*)p;
+ ByteMathModule* m = reinterpret_cast<ByteMathModule*>(p);
ByteMathData& data = m->data;
data.result_var = AddVarNameToList(data.result_name);
if ( sep_pos != string::npos )
ifname = ifname.substr(sep_pos+1);
- talos_log->name = ifname;
+ talos_log->name = std::move(ifname);
}
void TalosLogger::close()
message.pop_back();
rule.key = key.str();
- rule.msg = message;
+ rule.msg = std::move(message);
rule.gid = gid;
rule.sid = sid;
rule.rev = rev;
rule.count = 1;
// rule not in map, add it
- alerts[key.str()] = rule;
+ alerts[key.str()] = std::move(rule);
}
//-------------------------------------------------------------------------
static std::size_t codec_id = 1;
if (codec_id >= s_protocols.size())
+ {
ParseError("A maximum of 256 codecs can be registered");
+ return;
+ }
if (cd_api->pinit)
cd_api->pinit();
return false; // keep the old one
}
- p.key = key;
+ p.key = std::move(key);
p.api = api;
p.handle = std::move(handle);
p.source = file;
processing of a single packet will not push us over. It must also allow for additional heap
overhead.
+Note regarding statistics collection in the Memory module:
+
+Locking for statistics collection is minimized as the write operation (update_global_stats)
+is protected by a standard lock to ensure multiple threads don't update the global stats
+simultaneously. We are able to bail out if another thread is currently updating the statistics,
+as they will be approximately equal for either of the simulteneous callers.
+
+Read access (Module::sum_stats) can be protected via a shared lock, since
+all that we require here is that stats are not being updated while we are reading them.
+Thus, we never should block to acquire a writer lock, and the critical section is minimal for
+the Module::sum_stats call.
\ No newline at end of file
void MemoryModule::sum_stats(bool dump_stats)
{
- memory::MemoryCap::update_global_stats();
+ if (mem_global_stats_mutex.try_lock())
+ {
+ memory::MemoryCap::update_global_stats();
+ mem_global_stats_mutex.unlock();
+ }
+
+ mem_global_stats_mutex.lock_shared();
Module::sum_stats(dump_stats);
+ mem_global_stats_mutex.unlock();
}
void MemoryModule::set_trace(const Trace* trace) const
#include "framework/module.h"
+#include <shared_mutex>
+
class MemoryModule : public snort::Module
{
public:
void set_trace(const snort::Trace*) const override;
const snort::TraceOption* get_trace_options() const override;
+
+ std::shared_mutex mem_global_stats_mutex;
};
extern THREAD_LOCAL const snort::Trace* memory_trace;
void PerfMonitor::disable_tracker(size_t i)
{
+ assert (i < trackers->size() && i > 0);
+
WarningMessage("Disabling %s\n", (*trackers)[i]->get_name().c_str());
auto tracker = trackers->at(i);
if (config->perf_flags & PERF_CPU )
trackers->emplace_back(new CPUTracker(config));
- for (unsigned i = 0; i < trackers->size(); i++)
+ // Second condition is to prevent overflow, shouldn't happen in practice
+ for (unsigned i = 0; i < trackers->size() && i < std::numeric_limits<unsigned>::max(); i++)
{
if (!(*trackers)[i]->open(true))
- disable_tracker(i--);
+ {
+ disable_tracker(i);
+
+ if (i > 0)
+ i--;
+ }
}
for (auto& tracker : *trackers)
bool PerfMonReloadTuner::tinit()
{
- PerfMonitor* pm = (PerfMonitor*)PigPen::get_inspector(PERF_NAME, true);
+ PerfMonitor* pm = reinterpret_cast<PerfMonitor*>(PigPen::get_inspector(PERF_NAME, true));
auto* new_constraints = pm->get_constraints();
if (new_constraints->flow_ip_enabled)
void PerfMonitor::rotate()
{
- for ( unsigned i = 0; i < trackers->size(); i++ )
- if ( !(*trackers)[i]->rotate() )
- disable_tracker(i--);
+ for (auto& tracker : *trackers)
+ {
+ if (!tracker->rotate())
+ {
+ auto found_trk = std::find(trackers->begin(), trackers->end(), tracker);
+ size_t pos = found_trk - trackers->begin();
+ if (found_trk != trackers->end() && pos > 0 && pos < trackers->size())
+ disable_tracker(pos - 1);
+ }
+ }
}
void PerfMonitor::swap_constraints(PerfConstraints* constraints)
{ delete m; }
static Inspector* pm_ctor(Module* m)
-{ return new PerfMonitor(((PerfMonModule*)m)->get_config()); }
+{ return new PerfMonitor((reinterpret_cast<PerfMonModule*>(m))->get_config()); }
static void pm_dtor(Inspector* p)
{ delete p; }
if ( !etherType or etherType > static_cast<uint16_t>(ProtocolId::ETHERTYPE_MINIMUM) )
{
- generate_new_host_mac(p, rt);
+ generate_new_host_mac(p, std::move(rt));
return;
}
if ( llc->s.s.DSAP != llc->s.s.SSAP )
{
- generate_new_host_mac(p, rt);
+ generate_new_host_mac(p, std::move(rt));
return;
}
}
if ( retval )
- generate_new_host_mac(p, rt, true);
+ generate_new_host_mac(p, std::move(rt), true);
return;
}
if ( relative_to_include_dir(arg, file) )
return "I";
- file = hint;
+ file = std::move(hint);
if ( relative_to_parse_dir(arg, file) )
return "F";
;
std::string variable(input + begin + 1, end - begin - 1);
- variable_names.push_back(variable);
+ variable_names.push_back(std::move(variable));
begin = end - 1;
}
{
case '-':
if (var_contents.empty())
- var_contents = var_aux;
+ var_contents = std::move(var_aux);
break;
case '?':
{
auto iter = InjectionErrorToString.find(status);
assert (iter != InjectionErrorToString.end());
- return iter->second;
+ if (iter != InjectionErrorToString.end())
+ return iter->second;
+ else
+ return nullptr;
}
// LAST_PKT_SECOND - if these aren't set, assume the current wire pkt time
if (!record.first_pkt_second or !record.last_pkt_second)
{
+ // Record structures are uint_32 so we must use that here
+ //coverity[y2k38_safety]
record.first_pkt_second = static_cast<uint32_t>(packet_time());
+ //coverity[y2k38_safety]
record.last_pkt_second = static_cast<uint32_t>(packet_time());
}
#include "netflow_cache.h"
#include "netflow_module.h"
+#include "log/messages.h"
#include "utils/util.h"
using namespace snort;
while( std::getline(ss, tmp_str, '\t') )
tokens.push_back(tmp_str);
+ if ( tokens.size() != 3 )
+ {
+ ParseWarning(WARN_CONF,
+ "netflow: malformed service id line (expected 3 tab-separated tokens, got %u): %s",
+ static_cast<unsigned>(tokens.size()), serv_line.c_str());
+ continue;
+ }
+
// Format is <port> <tcp/udp> <internal ID>
uint16_t srv_port = std::stoi(tokens[0]);
std::string proto_str = tokens[1];
netflow_stats.netflow_cache_bytes_in_use = 0;
netflow_stats.template_cache_bytes_in_use = 0;
}
- return (PegCount*)&netflow_stats;
+ return reinterpret_cast<PegCount*>(&netflow_stats);
}
const PegInfo* NetFlowModule::get_pegs() const
#endif
);
SfIp src_ip,src_subnet;
- if (!df->set_ip(source_ip, src_ip, src_subnet))
+ if (!df->set_ip(std::move(source_ip), src_ip, src_subnet))
{
LogRespond(ctrlcon, "Invalid source ip\n");
delete df;
return -1;
}
SfIp dst_ip,dst_subnet;
- if (!df->set_ip(destination_ip, dst_ip, dst_subnet))
+ if (!df->set_ip(std::move(destination_ip), dst_ip, dst_subnet))
{
LogRespond(ctrlcon, "Invalid destination ip\n");
delete df;
DumpFlowsSummary* dfs = new DumpFlowsSummary(ctrlcon);
SfIp src_ip,src_subnet;
- if (!dfs->set_ip(source_ip, src_ip, src_subnet))
+ if (!dfs->set_ip(std::move(source_ip), src_ip, src_subnet))
{
LogRespond(ctrlcon, "Invalid source ip\n");
delete dfs;
return -1;
}
SfIp dst_ip,dst_subnet;
- if (!dfs->set_ip(destination_ip, dst_ip, dst_subnet))
+ if (!dfs->set_ip(std::move(destination_ip), dst_ip, dst_subnet))
{
LogRespond(ctrlcon, "Invalid destination ip\n");
delete dfs;
void Stream::log_extra_data(
Flow* flow, uint32_t mask, const AlertInfo& alert_info)
{
+ std::lock_guard<std::mutex> xtra_lock(stream_xtra_mutex);
if ( mask && stream.extra_data_log )
{
+
stream.extra_data_log(
flow, stream.extra_data_context, stream.xtradata_map,
stream.xtradata_func_count, mask, alert_info);
{
assert(flow and flow->session and flow->pkt_type == PktType::TCP);
- TcpSession* tcp_session = (TcpSession*)flow->session;
+ TcpSession* tcp_session = reinterpret_cast<TcpSession*>(flow->session);
return tcp_session->get_mss(to_server);
}
{
assert(flow and flow->session and flow->pkt_type == PktType::TCP);
- TcpSession* tcp_session = (TcpSession*)flow->session;
+ TcpSession* tcp_session = reinterpret_cast<TcpSession*>(flow->session);
return tcp_session->get_tcp_options_len(to_server);
}
{
assert(flow and flow->session and flow->pkt_type == PktType::TCP);
- TcpSession* tcp_session = (TcpSession*)flow->session;
+ TcpSession* tcp_session = reinterpret_cast<TcpSession*>(flow->session);
return tcp_session->can_set_no_ack();
}
{
assert(flow and flow->session and flow->pkt_type == PktType::TCP);
- TcpSession* tcp_session = (TcpSession*)flow->session;
+ TcpSession* tcp_session = reinterpret_cast<TcpSession*>(flow->session);
return tcp_session->set_no_ack(on_off);
}
if ( flow->pkt_type == PktType::TCP )
{
if ( to_server )
- ((TcpSession*)flow->session)->server.perform_partial_flush();
+ reinterpret_cast<TcpSession*>(flow->session)->server.perform_partial_flush();
else
- ((TcpSession*)flow->session)->client.perform_partial_flush();
+ reinterpret_cast<TcpSession*>(flow->session)->client.perform_partial_flush();
}
}
if (!flow or !flow->session or !(flow->pkt_type == PktType::TCP))
return false;
- TcpSession* tcp_session = (TcpSession*)flow->session;
+ TcpSession* tcp_session = reinterpret_cast<TcpSession*>(flow->session);
if (tcp_session->held_packet_dir == SSN_DIR_NONE)
return false;
if (n < outbuf_size)
*outbuf_ptr = '\0';
else
- outbuf[outbuf_size - 1] = '\0';
+ if (outbuf_size)
+ outbuf[outbuf_size - 1] = '\0';
*output_bytes = outbuf_ptr - outbuf;
if (folded)
if (!(data_stream >> priority))
return false;
+ // coverity[tainted_scalar]
table_api.add_option("priority", priority);
return true;
}
if (!(data_stream >> val))
return true;
-
+ // coverity[tainted_scalar]
data_api.failed_conversion(data_stream, std::to_string(val));
}
else
if (data_stream >> policy_id)
{
cv.get_table_api().open_table("ips");
+ // coverity[tainted_scalar]
cv.get_table_api().add_option("id", policy_id);
cv.get_table_api().close_table();
if (data_stream >> policy_id)
{
+ // coverity[tainted_scalar]
data_api.failed_conversion(data_stream, std::to_string(policy_id));
rc = false;
}
{
table_api.add_diff_option_comment("suspend-timeout", "max_suspend_time");
table_api.add_comment("seconds changed to milliseconds");
+ // coverity[tainted_scalar]
tmpval = table_api.add_option("max_suspend_time", opt * 1000);
}
add_or_append("sort", "no_matches");
}
else
- add_or_append("sort", val);
+ add_or_append("sort", std::move(val));
}
else
{
if (append)
table_api.append_option(opt_name, val);
else
+ // coverity[tainted_scalar]
table_api.add_option(opt_name, val);
return true;
}
if (stream >> val)
{
val = !val ? -1 : ( val == -1 ? 0 : val );
+ // coverity[tainted_scalar]
table_api.add_option(opt_name, val);
return true;
}
if (val.front() == '$')
{
val.erase(val.begin());
- this->value = std::string(val);
+ this->value = std::string(std::move(val));
this->type = OptionType::VAR;
}
else
{
- this->value = std::string(val);
+ this->value = std::string(std::move(val));
this->type = OptionType::STRING;
}
}
Option::Option(const std::string& n, int val, int d)
{
this->name = n;
- this->value = std::to_string(val);
+ this->value = std::to_string(std::move(val));
this->depth = d;
this->type = OptionType::INT;
}
if (val.front() == '$')
{
val.erase(val.begin());
- this->value = std::string(val);
+ this->value = std::string(std::move(val));
this->type = OptionType::VAR;
}
else
{
- this->value = std::string(val);
+ this->value = std::string(std::move(val));
this->type = OptionType::STRING;
}
}
name == "http_uri" ||
name == "raw_data")
{
- curr_sticky_buffer = name;
+ curr_sticky_buffer = std::move(name);
++iter;
}
else if (name == "http_header" ||
}
else
{
- curr_sticky_buffer = name;
+ curr_sticky_buffer = std::move(name);
++iter;
}
}
if (elem.size() <= 1)
{
- s = elem;
+ s = std::move(elem);
end = "";
}
else
const std::size_t pos = elem.find('$', 1);
if (pos == std::string::npos)
{
- s = elem;
+ s = std::move(elem);
end = "";
}
else
VarData* vd = new VarData();
vd->type = VarType::VARIABLE;
- vd->data = s;
+ vd->data = std::move(s);
vars.push_back(vd);
}
else if (!vars.empty() && vars.back()->type == VarType::STRING)
if (!vars.empty() and s != " ")
s.insert(0, " ");
- vd->data = s;
+ vd->data = std::move(s);
vars.push_back(vd);
}
if (!end.empty())
- return add_value(end);
+ return add_value(std::move(end));
return true;
}
// add this pair to the map.
if (!id.empty() && !value.empty())
- attr_map[id] = value;
+ attr_map[id] = std::move(value);
}
void AttributeTable::parse_map_entries()
data_api.failed_conversion(data_stream, error_string);
return false;
}
- file = full_file;
+ file = std::move(full_file);
}
table_api.open_table("hosts");
else
limit = (limit + 1024*1024 - 1) / (1024*1024);
+ // coverity[tainted_scalar]
retval = table_api.add_option("limit", limit) && retval;
retval = table_api.add_comment("limit now in MB, converted") && retval;
retval = table_api.add_deleted_comment("units") && retval;
else
limit = (limit + 1024*1024 - 1) / (1024*1024);
+ // coverity[tainted_scalar]
retval = table_api.add_option("limit", limit) && retval;
retval = table_api.add_comment("limit now in MB, converted") && retval;
retval = table_api.add_deleted_comment("units") && retval;
else
limit = (limit + 1024*1024 - 1) / (1024*1024);
+ // coverity[tainted_scalar]
retval = table_api.add_option("limit", limit) && retval;
retval = table_api.add_comment("limit now in MB, converted") && retval;
retval = table_api.add_deleted_comment("units") && retval;
else
limit = (limit + 1024*1024 - 1) / (1024*1024);
+ // coverity[tainted_scalar]
retval = table_api.add_option("limit", limit) && retval;
retval = table_api.add_comment("limit now in MB, converted") && retval;
retval = table_api.add_deleted_comment("units") && retval;
if (stream >> val)
{
+ // coverity[tainted_scalar]
return add_option_to_all(opt_name, val, co_only);
}
Command c;
c.name = std::string(elem);
c.length = len;
- commands.push_back(c);
+ commands.push_back(std::move(c));
updated = true;
}
else
if (it == commands.end())
{
Command c;
- c.name = std::string(command);
- c.format = std::string(format);
+ c.name = std::string(std::move(command));
+ c.format = std::string(std::move(format));
c.length = command_default_len;
- commands.push_back(c);
+ commands.push_back(std::move(c));
updated = true;
}
// command exists, but format unspecified (length likely specified)
else if (it->format.empty())
{
- it->format = std::string(format);
+ it->format = std::string(std::move(format));
updated = true;
}
// command && format exists, but format is different. create new command
else if (format != it->format)
{
Command c;
- c.name = std::string(command);
- c.format = std::string(format);
+ c.name = std::string(std::move(command));
+ c.format = std::string(std::move(format));
c.length = it->length;
- commands.push_back(c);
+ commands.push_back(std::move(c));
updated = true;
}
else
int i_val;
if (data_stream >> i_val)
+ {
+ // coverity[tainted_scalar]
tmpval = table_api.add_option("ayt_attack_thresh", i_val);
+ }
else
tmpval = false;
}
std::string codemap;
int code_page;
+ // coverity[tainted_scalar]
if ( (data_stream >> codemap) &&
(data_stream >> code_page))
{
+ // coverity[tainted_scalar]
tmpval = table_api.add_option("iis_unicode_map_file", codemap);
tmpval = table_api.add_option("iis_unicode_code_page", code_page) && tmpval;
}
Command c;
c.name = std::string(elem);
c.length = len;
- commands.push_back(c);
+ commands.push_back(std::move(c));
}
else
{
}
}
if ( emit_max_flows )
+ {
+ // coverity[tainted_scalar]
table_api.add_option("max_flows", tcp_max + udp_max + icmp_max + ip_max);
+ }
if ( emit_pruning_timeout )
table_api.add_option("pruning_timeout", INT_MAX == pruning_timeout ? 30 : pruning_timeout);
return false;
table_api.open_table("small_segments");
+ // coverity[tainted_scalar]
table_api.add_option("count", consec_segs);
+ // coverity[tainted_scalar]
table_api.add_option("maximum_size", min_bytes);
table_api.close_table();
uint16_t port;
while (stream >> port)
+ {
+ // coverity[tainted_scalar]
ignore_ports += " " + std::to_string(port);
+ }
table_api.add_deleted_comment(ignore_ports);
}
int val;
if ( arg_stream >> val )
+ {
+ // coverity[tainted_scalar]
table_api.add_option("require_3whs", val);
+ }
else
table_api.add_option("require_3whs", 0);
}
while (arg_stream >> tmp)
addr += " " + tmp;
- add_to_bindings(&Binder::add_when_net, addr);
+ add_to_bindings(&Binder::add_when_net, std::move(addr));
}
else
{
if (!sticky_buffer.empty())
{
- buffer = sticky_buffer;
+ buffer = std::move(sticky_buffer);
if (sticky_buffer_set)
rule_api.bad_rule(data_stream,
std::string new_val;
if ( arg.find('-') == std::string::npos )
- new_val = arg;
+ new_val = std::move(arg);
else
{
if ( arg.find('-') != arg.rfind('-') )
arg_stream >> low;
arg_stream.ignore(1);
arg_stream >> high;
+ // coverity[tainted_scalar]
new_val = std::to_string(low) + "<=>" + std::to_string(high);
}
}
/* Read in the data portion of the record */
if (rec->length > buffer_size)
{
+ // If we fail to allocate here, we simply error out
+ // coverity[tainted_scalar]
tmp = (uint8_t*)malloc(rec->length * sizeof(uint8_t));
if (tmp == nullptr)
{
buffer_size = rec->length;
}
}
+ // coverity[tainted_scalar]
items_read = fread(rec->data, sizeof(uint8_t), rec->length, input);
if (items_read != rec->length)
{
s_pos = ftell(it->file);
+ // coverity[tainted_scalar]
tmp = (uint8_t*)realloc(record->data, record->length);
if (!tmp)
while ( get_record(it, &record) )
{
if ( record.type == UNIFIED2_EVENT3 and record.length == sizeof(Unified2Event) )
+ {
event3_dump(&record);
-
+ }
else if ( (record.type == UNIFIED2_PACKET) or (record.type == UNIFIED2_BUFFER) )
+ {
+ // coverity[tainted_scalar]
packet_dump(&record);
-
+ }
else if (record.type == UNIFIED2_EXTRA_DATA)
+ {
+ // coverity[tainted_scalar]
extradata_dump(&record);
-
+ }
// deprecated
else if ( record.type == UNIFIED2_IDS_EVENT_VLAN and
record.length == sizeof(Unified2IDSEvent) )
projects / thirdparty / snort3.git / commitdiff
