From: Michael Altizer (mialtize) Date: Tue, 27 Mar 2018 19:38:52 +0000 (-0400) Subject: Merge pull request #1152 in SNORT/snort3 from thread_locals to master X-Git-Tag: 3.0.0-245~64 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b817455b44f6214fdcbc6881ed22f6c17d74162e;p=thirdparty%2Fsnort3.git Merge pull request #1152 in SNORT/snort3 from thread_locals to master Squashed commit of the following: commit 6fd127316644edddab9f03949a49a0e88ecde837 Author: Carter Waxman Date: Mon Mar 19 14:26:22 2018 -0400 sfip: removed ntoa. use ntop(SfIpString) instead. commit bd42f67b12a43aea0793c75c4ac0ee38b36fb33a Author: Carter Waxman Date: Mon Mar 19 13:18:12 2018 -0400 stream ip: refactored to use MemoryManager allocators commit 818c7a25505ae6e151790db3e76027252cb854e0 Author: Carter Waxman Date: Fri Mar 16 14:06:08 2018 -0400 jsnorm: moved decode buffer to stack commit 7c91b75afa0ab2a95791c93b0e3e59a55b332f04 Author: Carter Waxman Date: Tue Mar 20 15:53:32 2018 -0400 Buffer: fixed off-by-one error in underlying buffer handling commit dc54e219cc30033dac1cb93915508a7a945695e2 Author: Carter Waxman Date: Fri Mar 16 13:14:29 2018 -0400 PacketManager: moved encode storage to heap commit 7604a81d30a022ff3b50f4116fddd38246057f54 Author: Carter Waxman Date: Fri Mar 16 12:57:37 2018 -0400 CodecManager: removed unused code commit 18b6d223d5bba03483b5ea02563328b784990009 Author: Carter Waxman Date: Fri Mar 16 12:47:50 2018 -0400 Snort: moved s_data to heap commit c04fd730a33ed86cd68e4a1e2739157d5eaf73a0 Author: Carter Waxman Date: Fri Mar 16 09:48:26 2018 -0400 appid sip: moved pattern thread local to class instance commit 46c886725f8b69cfeb36c9b5580970dfbeabc703 Author: Carter Waxman Date: Thu Mar 15 14:47:22 2018 -0400 Base64DecodeOption: moved buffer storage to regular heap --- diff --git a/extra/src/inspectors/data_log/data_log.cc b/extra/src/inspectors/data_log/data_log.cc index f5944dfd0..0d7a19cda 100644 --- a/extra/src/inspectors/data_log/data_log.cc +++ b/extra/src/inspectors/data_log/data_log.cc @@ -67,14 +67,15 @@ void LogHandler::handle(DataEvent& e, Flow* f) time_t pt = packet_time(); struct tm st; char buf[26]; + SfIpString ip_str; gmtime_r(&pt, &st); asctime_r(&st, buf); buf[sizeof(buf)-2] = '\0'; TextLog_Print(tlog, "%s, ", buf); - TextLog_Print(tlog, "%s, %d, ", f->client_ip.ntoa(), f->client_port); - TextLog_Print(tlog, "%s, %d", f->server_ip.ntoa(), f->server_port); + TextLog_Print(tlog, "%s, %d, ", f->client_ip.ntop(ip_str), f->client_port); + TextLog_Print(tlog, "%s, %d", f->server_ip.ntop(ip_str), f->server_port); HttpEvent* he = (HttpEvent*)&e; int32_t n; diff --git a/extra/src/loggers/alert_json/alert_json.cc b/extra/src/loggers/alert_json/alert_json.cc index e247b4eac..c639c92f2 100644 --- a/extra/src/loggers/alert_json/alert_json.cc +++ b/extra/src/loggers/alert_json/alert_json.cc @@ -148,8 +148,9 @@ static bool ff_dst_addr(Args& a) { if ( a.pkt->has_ip() or a.pkt->is_data() ) { + SfIpString ip_str; print_label(a, "dst_addr"); - TextLog_Quote(json_log, a.pkt->ptrs.ip_api.get_dst()->ntoa()); + TextLog_Quote(json_log, a.pkt->ptrs.ip_api.get_dst()->ntop(ip_str)); return true; } return false; @@ -157,11 +158,11 @@ static bool ff_dst_addr(Args& a) static bool ff_dst_ap(Args& a) { - const char* addr = ""; + SfIpString addr = ""; unsigned port = 0; if ( a.pkt->has_ip() or a.pkt->is_data() ) - addr = a.pkt->ptrs.ip_api.get_dst()->ntoa(); + a.pkt->ptrs.ip_api.get_dst()->ntop(addr); if ( a.pkt->proto_bits & (PROTO_BIT__TCP|PROTO_BIT__UDP) ) port = a.pkt->ptrs.dp; @@ -425,8 +426,9 @@ static bool ff_src_addr(Args& a) { if ( a.pkt->has_ip() or a.pkt->is_data() ) { + SfIpString ip_str; print_label(a, "src_addr"); - TextLog_Quote(json_log, a.pkt->ptrs.ip_api.get_src()->ntoa()); + TextLog_Quote(json_log, a.pkt->ptrs.ip_api.get_src()->ntop(ip_str)); return true; } return false; @@ -434,11 +436,11 @@ static bool ff_src_addr(Args& a) static bool ff_src_ap(Args& a) { - const char* addr = ""; + SfIpString addr = ""; unsigned port = 0; if ( a.pkt->has_ip() or a.pkt->is_data() ) - addr = a.pkt->ptrs.ip_api.get_src()->ntoa(); + a.pkt->ptrs.ip_api.get_src()->ntop(addr); if ( a.pkt->proto_bits & (PROTO_BIT__TCP|PROTO_BIT__UDP) ) port = a.pkt->ptrs.sp; @@ -461,13 +463,13 @@ static bool ff_src_port(Args& a) static bool ff_target(Args& a) { - const char* addr; + SfIpString addr = ""; if ( a.event.sig_info->target == TARGET_SRC ) - addr = a.pkt->ptrs.ip_api.get_src()->ntoa(); + a.pkt->ptrs.ip_api.get_src()->ntop(addr); else if ( a.event.sig_info->target == TARGET_DST ) - addr = a.pkt->ptrs.ip_api.get_dst()->ntoa(); + a.pkt->ptrs.ip_api.get_dst()->ntop(addr); else return false; diff --git a/src/detection/detect_trace.cc b/src/detection/detect_trace.cc index e8af8955d..0e698e063 100644 --- a/src/detection/detect_trace.cc +++ b/src/detection/detect_trace.cc @@ -61,7 +61,7 @@ void clear_trace_cursor_info() void print_pkt_info(Packet* p) { const char* dir; - string dst_addr, src_addr; + SfIpString src_addr, dst_addr; unsigned src_port = 0, dst_port = 0; pkt = p; //save packet pointer for later @@ -75,8 +75,8 @@ void print_pkt_info(Packet* p) if ( pkt->has_ip() or pkt->is_data() ) { - src_addr = string(pkt->ptrs.ip_api.get_src()->ntoa()); - dst_addr = string(pkt->ptrs.ip_api.get_dst()->ntoa()); + pkt->ptrs.ip_api.get_src()->ntop(src_addr); + pkt->ptrs.ip_api.get_dst()->ntop(dst_addr); } if ( pkt->proto_bits & (PROTO_BIT__TCP|PROTO_BIT__UDP) ) @@ -86,7 +86,7 @@ void print_pkt_info(Packet* p) } trace_logf(detection, TRACE_RULE_EVAL,"packet %" PRIu64 " %s %s:%u %s:%u\n", - pc.total_from_daq, dir, src_addr.c_str(), src_port, dst_addr.c_str(), dst_port); + pc.total_from_daq, dir, src_addr, src_port, dst_addr, dst_port); } void print_pattern(const PatternMatchData* pmd) diff --git a/src/detection/rtn_checks.cc b/src/detection/rtn_checks.cc index e4865b2bd..982c2e951 100644 --- a/src/detection/rtn_checks.cc +++ b/src/detection/rtn_checks.cc @@ -100,7 +100,8 @@ static int CheckAddrPort(sfip_var_t* rule_addr, PortObject* po, Packet* p, } } - DebugFormat(DEBUG_DETECT, "addr %s, port %d ", pkt_addr->ntoa(), pkt_port); + DEBUG_WRAP( SfIpString ip_str; ) + DebugFormat(DEBUG_DETECT, "addr %s, port %d ", pkt_addr->ntop(ip_str), pkt_port); if (!rule_addr) goto bail; diff --git a/src/detection/tag.cc b/src/detection/tag.cc index a0775273e..5de7efc2e 100644 --- a/src/detection/tag.cc +++ b/src/detection/tag.cc @@ -692,22 +692,23 @@ void SetTags(Packet* p, const OptTreeNode* otn, uint16_t event_id) RuleTreeNode* rtn = getRuntimeRtnFromOtn(otn); void* log_list = rtn ? rtn->listhead : nullptr; + DEBUG_WRAP( SfIpString ip_str; ) switch (otn->tag->tag_type) { case TAG_SESSION: DebugMessage(DEBUG_FLOW,"Setting session tag:\n"); DebugFormat(DEBUG_FLOW,"SIP: %s SP: %d ", - p->ptrs.ip_api.get_src()->ntoa(), p->ptrs.sp); + p->ptrs.ip_api.get_src()->ntop(ip_str), p->ptrs.sp); DebugFormat(DEBUG_FLOW,"DIP: %s DP: %d\n", - p->ptrs.ip_api.get_dst()->ntoa(), p->ptrs.dp); + p->ptrs.ip_api.get_dst()->ntop(ip_str), p->ptrs.dp); TagSession(p, otn->tag, p->pkth->ts.tv_sec, event_id, log_list); break; case TAG_HOST: DebugMessage(DEBUG_FLOW,"Setting host tag:\n"); DebugFormat(DEBUG_FLOW,"SIP: %s SP: %d ", - p->ptrs.ip_api.get_src()->ntoa(), p->ptrs.sp); + p->ptrs.ip_api.get_src()->ntop(ip_str), p->ptrs.sp); DebugFormat(DEBUG_FLOW, "DIP: %s DP: %d\n", - p->ptrs.ip_api.get_dst()->ntoa(), p->ptrs.dp); + p->ptrs.ip_api.get_dst()->ntop(ip_str), p->ptrs.dp); TagHost(p, otn->tag, p->pkth->ts.tv_sec, event_id, log_list); break; diff --git a/src/file_api/file_log.cc b/src/file_api/file_log.cc index 15257c821..e65ed3568 100644 --- a/src/file_api/file_log.cc +++ b/src/file_api/file_log.cc @@ -161,8 +161,9 @@ void LogHandler::handle(DataEvent&, Flow* f) TextLog_Print(tlog, " "); } - TextLog_Print(tlog, " %s:%d -> ", f->client_ip.ntoa(), f->client_port); - TextLog_Print(tlog, "%s:%d, ", f->server_ip.ntoa(), f->server_port); + SfIpString ip_str; + TextLog_Print(tlog, " %s:%d -> ", f->client_ip.ntop(ip_str), f->client_port); + TextLog_Print(tlog, "%s:%d, ", f->server_ip.ntop(ip_str), f->server_port); FileFlows* files = FileFlows::get_file_flows(f); diff --git a/src/framework/codec.cc b/src/framework/codec.cc index 018f67fc4..1314cbc48 100644 --- a/src/framework/codec.cc +++ b/src/framework/codec.cc @@ -27,6 +27,10 @@ #include "detection/detection_engine.h" #include "events/event_queue.h" +#ifdef UNIT_TEST +#include "catch/snort_catch.h" +#endif + using namespace snort; EncState::EncState(const ip::IpApi& api, EncodeFlags f, IpProtocol pr, @@ -64,7 +68,7 @@ uint8_t EncState::get_ttl(uint8_t lyr_ttl) const } } -/* Logic behind 'buf + size + 1' -- we're encoding the +/* Logic behind 'buf + size' -- we're encoding the * packet from the inside out. So, whenever we add * data, 'allocating' N bytes means moving the pointer * N characters farther from the end. For this scheme @@ -73,7 +77,7 @@ uint8_t EncState::get_ttl(uint8_t lyr_ttl) const * array */ Buffer::Buffer(uint8_t* buf, uint32_t size) : - base(buf + size + 1), + base(buf + size), end(0), max_len(size), off(0) @@ -174,3 +178,47 @@ void Codec::CheckIPv6ExtensionOrder(CodecData& codec, const IpProtocol ip_proto) codec.codec_flags |= CODEC_ROUTING_SEEN; } +#ifdef UNIT_TEST +TEST_CASE("init", "[buffer]") +{ + uint8_t raw_buf[2]; + Buffer buf(&raw_buf[0], 1); + CHECK( buf.data() == &raw_buf[1] ); // 1 past the "known" buffer + CHECK( buf.size() == 0 ); +} + +TEST_CASE("alloc", "[buffer]") +{ + uint8_t raw_buf[1]; + Buffer buf(raw_buf, 1); + buf.allocate(1); + + CHECK( buf.data() == &raw_buf[0] ); + CHECK( buf.size() == 1 ); +} + +TEST_CASE("multi alloc", "[buffer]") +{ + uint8_t raw_buf2[3]; + Buffer buf2(raw_buf2, 3); + buf2.allocate(1); + + CHECK( buf2.data() == &raw_buf2[2] ); + CHECK( buf2.size() == 1 ); + + buf2.allocate(2); + CHECK( buf2.data() == &raw_buf2[0] ); + CHECK( buf2.size() == 3 ); +} + +TEST_CASE("clear", "[buffer]") +{ + uint8_t raw_buf[2]; + Buffer buf(raw_buf, 1); + buf.allocate(1); + buf.clear(); + + CHECK( buf.data() == &raw_buf[1] ); // 1 past the "known" buffer + CHECK( buf.size() == 0 ); +} +#endif diff --git a/src/ips_options/ips_base64.cc b/src/ips_options/ips_base64.cc index 58f4a02b3..929f03c25 100644 --- a/src/ips_options/ips_base64.cc +++ b/src/ips_options/ips_base64.cc @@ -36,9 +36,13 @@ using namespace snort; -static THREAD_LOCAL uint8_t base64_decode_buf[DECODE_BLEN]; -static THREAD_LOCAL uint32_t base64_decode_size; +struct Base64DecodeBuffer +{ + uint8_t data[DECODE_BLEN]; + uint32_t size; +}; +static THREAD_LOCAL Base64DecodeBuffer* base64_decode_buffer; static THREAD_LOCAL ProfileStats base64PerfStats; #define s_name "base64_decode" @@ -52,12 +56,12 @@ static THREAD_LOCAL ProfileStats base64PerfStats; #define BASE64DECODE_RELATIVE_FLAG 0x01 -typedef struct _Base64DecodeData +struct Base64DecodeData { uint32_t bytes_to_decode; uint32_t offset; uint8_t flags; -}Base64DecodeData; +}; class Base64DecodeOption : public IpsOption { @@ -117,7 +121,7 @@ bool Base64DecodeOption::operator==(const IpsOption& ips) const IpsOption::EvalStatus Base64DecodeOption::eval(Cursor& c, Packet*) { Profile profile(base64PerfStats); - base64_decode_size = 0; + base64_decode_buffer->size = 0; Base64DecodeData* idx = (Base64DecodeData*)&config; const uint8_t* start_ptr = nullptr; @@ -151,8 +155,8 @@ IpsOption::EvalStatus Base64DecodeOption::eval(Cursor& c, Packet*) base64_size = idx->bytes_to_decode; } - if (sf_base64decode(base64_buf, base64_size, (uint8_t*)base64_decode_buf, - sizeof(base64_decode_buf), &base64_decode_size) != 0) + if (sf_base64decode(base64_buf, base64_size, base64_decode_buffer->data, + sizeof(base64_decode_buffer->data), &base64_decode_buffer->size) != 0) return NO_MATCH; return MATCH; @@ -289,10 +293,10 @@ IpsOption::EvalStatus Base64DataOption::eval(Cursor& c, Packet*) { Profile profile(base64PerfStats); - if ( !base64_decode_size ) + if ( !base64_decode_buffer->size ) return NO_MATCH; - c.set(s_data_name, base64_decode_buf, base64_decode_size); + c.set(s_data_name, base64_decode_buffer->data, base64_decode_buffer->size); return MATCH; } @@ -318,6 +322,17 @@ static void base64_data_dtor(IpsOption* p) delete p; } +static void base64_data_tinit(SnortConfig*) +{ + base64_decode_buffer = new Base64DecodeBuffer(); +} + +static void base64_data_tterm(SnortConfig*) +{ + delete base64_decode_buffer; + base64_decode_buffer = nullptr; +} + static const IpsApi base64_data_api = { { @@ -336,8 +351,8 @@ static const IpsApi base64_data_api = 0, 0, nullptr, nullptr, - nullptr, - nullptr, + base64_data_tinit, + base64_data_tterm, base64_data_ctor, base64_data_dtor, nullptr diff --git a/src/ips_options/ips_session.cc b/src/ips_options/ips_session.cc index a4f5bed7b..7e42becf3 100644 --- a/src/ips_options/ips_session.cc +++ b/src/ips_options/ips_session.cc @@ -174,23 +174,23 @@ static FILE* OpenSessionFile(Packet* p) dst = p->ptrs.ip_api.get_dst(); src = p->ptrs.ip_api.get_src(); - const char* addr; + SfIpString addr; if (SnortConfig::get_conf()->homenet.contains(dst) == SFIP_CONTAINS) { if (SnortConfig::get_conf()->homenet.contains(src) == SFIP_NOT_CONTAINS) { - addr = p->ptrs.ip_api.get_src()->ntoa(); + p->ptrs.ip_api.get_src()->ntop(addr); } else { if (p->ptrs.sp >= p->ptrs.dp) { - addr = p->ptrs.ip_api.get_src()->ntoa(); + p->ptrs.ip_api.get_src()->ntop(addr); } else { - addr = p->ptrs.ip_api.get_dst()->ntoa(); + p->ptrs.ip_api.get_dst()->ntop(addr); } } } @@ -198,17 +198,17 @@ static FILE* OpenSessionFile(Packet* p) { if (SnortConfig::get_conf()->homenet.contains(src) == SFIP_CONTAINS) { - addr = p->ptrs.ip_api.get_dst()->ntoa(); + p->ptrs.ip_api.get_dst()->ntop(addr); } else { if (p->ptrs.sp >= p->ptrs.dp) { - addr = p->ptrs.ip_api.get_src()->ntoa(); + p->ptrs.ip_api.get_src()->ntop(addr); } else { - addr = p->ptrs.ip_api.get_dst()->ntoa(); + p->ptrs.ip_api.get_dst()->ntop(addr); } } } diff --git a/src/loggers/alert_csv.cc b/src/loggers/alert_csv.cc index 7aa7c39e7..c8c57e44e 100644 --- a/src/loggers/alert_csv.cc +++ b/src/loggers/alert_csv.cc @@ -123,16 +123,19 @@ static void ff_dir(Args& a) static void ff_dst_addr(Args& a) { if ( a.pkt->has_ip() or a.pkt->is_data() ) - TextLog_Puts(csv_log, a.pkt->ptrs.ip_api.get_dst()->ntoa()); + { + SfIpString ip_str; + TextLog_Puts(csv_log, a.pkt->ptrs.ip_api.get_dst()->ntop(ip_str)); + } } static void ff_dst_ap(Args& a) { - const char* addr = ""; + SfIpString addr = ""; unsigned port = 0; if ( a.pkt->has_ip() or a.pkt->is_data() ) - addr = a.pkt->ptrs.ip_api.get_dst()->ntoa(); + a.pkt->ptrs.ip_api.get_dst()->ntop(addr); if ( a.pkt->proto_bits & (PROTO_BIT__TCP|PROTO_BIT__UDP) ) port = a.pkt->ptrs.dp; @@ -314,16 +317,19 @@ static void ff_sid(Args& a) static void ff_src_addr(Args& a) { if ( a.pkt->has_ip() or a.pkt->is_data() ) - TextLog_Puts(csv_log, a.pkt->ptrs.ip_api.get_src()->ntoa()); + { + SfIpString ip_str; + TextLog_Puts(csv_log, a.pkt->ptrs.ip_api.get_src()->ntop(ip_str)); + } } static void ff_src_ap(Args& a) { - const char* addr = ""; + SfIpString addr = ""; unsigned port = 0; if ( a.pkt->has_ip() or a.pkt->is_data() ) - addr = a.pkt->ptrs.ip_api.get_src()->ntoa(); + a.pkt->ptrs.ip_api.get_src()->ntop(addr); if ( a.pkt->proto_bits & (PROTO_BIT__TCP|PROTO_BIT__UDP) ) port = a.pkt->ptrs.sp; @@ -339,13 +345,13 @@ static void ff_src_port(Args& a) static void ff_target(Args& a) { - const char* addr; + SfIpString addr = ""; if ( a.event.sig_info->target == TARGET_SRC ) - addr = a.pkt->ptrs.ip_api.get_src()->ntoa(); + a.pkt->ptrs.ip_api.get_src()->ntop(addr); else if ( a.event.sig_info->target == TARGET_DST ) - addr = a.pkt->ptrs.ip_api.get_dst()->ntoa(); + a.pkt->ptrs.ip_api.get_dst()->ntop(addr); else return; diff --git a/src/main/snort.cc b/src/main/snort.cc index 4a5fcfb3d..ca6b52894 100644 --- a/src/main/snort.cc +++ b/src/main/snort.cc @@ -113,7 +113,7 @@ static pid_t snort_main_thread_pid = 0; // non-local for easy access from core static THREAD_LOCAL DAQ_PktHdr_t s_pkth; -static THREAD_LOCAL uint8_t s_data[65536]; +static THREAD_LOCAL uint8_t* s_data = nullptr; static THREAD_LOCAL Packet* s_packet = nullptr; static THREAD_LOCAL ContextSwitcher* s_switcher = nullptr; @@ -718,6 +718,7 @@ void Snort::thread_rotate() */ bool Snort::thread_init_privileged(const char* intf) { + s_data = new uint8_t[65535]; show_source(intf); SnortConfig::get_conf()->thread_config->implement_thread_affinity(STHREAD_TYPE_PACKET, get_instance_id()); @@ -773,6 +774,7 @@ void Snort::thread_init_unprivileged() // in case there are HA messages waiting, process them first HighAvailabilityManager::process_receive(); + PacketManager::thread_init(); } void Snort::thread_term() @@ -813,9 +815,11 @@ void Snort::thread_term() CleanupTag(); FileService::thread_term(); PacketTracer::thread_term(); + PacketManager::thread_term(); Active::term(); delete s_switcher; + delete s_data; } void Snort::inspect(Packet* p) diff --git a/src/managers/codec_manager.cc b/src/managers/codec_manager.cc index bae0b4c24..9845e1f6e 100644 --- a/src/managers/codec_manager.cc +++ b/src/managers/codec_manager.cc @@ -27,7 +27,6 @@ #include "main/snort_config.h" #include "packet_io/sfdaq.h" #include "protocols/packet_manager.h" -#include "utils/dnet_header.h" using namespace snort; @@ -55,13 +54,6 @@ THREAD_LOCAL uint8_t CodecManager::max_layers = DEFAULT_LAYERMAX; // This is hardcoded into Snort++ extern const CodecApi* default_codec; -// Local variables for various tasks -static const uint16_t IP_ID_COUNT = 8192; -static THREAD_LOCAL std::array s_id_pool { - { 0 } -}; -static THREAD_LOCAL rand_t* s_rand = nullptr; - /* * Begin search from index 1. 0 is a special case in that it is the default * codec and is actually a duplicate. i.e., we can find the 0 indexed @@ -234,19 +226,6 @@ void CodecManager::thread_init(SnortConfig* sc) if (!grinder) ParseError("Unable to find a Codec with data link type %d", daq_dlt); - - if ( s_rand ) - rand_close(s_rand); - - // rand_open() can yield valgrind errors because the - // starting seed may come from "random stack contents" - // (see man 3 dnet) - s_rand = rand_open(); - - if ( !s_rand ) - ParseError("rand_open() failed."); - - rand_get(s_rand, s_id_pool.data(), s_id_pool.size()); } void CodecManager::thread_term() @@ -258,12 +237,6 @@ void CodecManager::thread_term() if (wrap.api->tterm) wrap.api->tterm(); } - - if ( s_rand ) - { - rand_close(s_rand); - s_rand = nullptr; - } } void CodecManager::dump_plugins() diff --git a/src/network_inspectors/appid/appid_detector.h b/src/network_inspectors/appid/appid_detector.h index 936fd429d..a12db6c1f 100644 --- a/src/network_inspectors/appid/appid_detector.h +++ b/src/network_inspectors/appid/appid_detector.h @@ -116,6 +116,7 @@ public: virtual void add_user(AppIdSession&, const char*, AppId, bool); virtual void add_payload(AppIdSession&, AppId); virtual void add_app(AppIdSession&, AppId, AppId, const char*); + virtual void finalize() {} const std::string& get_name() const { return name; } diff --git a/src/network_inspectors/appid/appid_inspector.cc b/src/network_inspectors/appid/appid_inspector.cc index 40629c279..195c45ed1 100644 --- a/src/network_inspectors/appid/appid_inspector.cc +++ b/src/network_inspectors/appid/appid_inspector.cc @@ -155,7 +155,6 @@ void AppIdInspector::tinit() PatternClientDetector::finalize_client_port_patterns(); AppIdDiscovery::finalize_plugins(); http_matchers->finalize(); - SipUdpClientDetector::finalize_sip_ua(); ssl_detector_process_patterns(); dns_host_detector_process_patterns(); } diff --git a/src/network_inspectors/appid/client_plugins/client_discovery.cc b/src/network_inspectors/appid/client_plugins/client_discovery.cc index 8140e991b..68d048017 100644 --- a/src/network_inspectors/appid/client_plugins/client_discovery.cc +++ b/src/network_inspectors/appid/client_plugins/client_discovery.cc @@ -115,6 +115,12 @@ void ClientDiscovery::initialize() void ClientDiscovery::finalize_client_plugins() { + for ( auto kv : tcp_detectors ) + kv.second->finalize(); + + for ( auto kv : udp_detectors ) + kv.second->finalize(); + if ( tcp_patterns ) tcp_patterns->prep(); diff --git a/src/network_inspectors/appid/detector_plugins/detector_sip.cc b/src/network_inspectors/appid/detector_plugins/detector_sip.cc index b72239cbd..486ced25b 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_sip.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_sip.cc @@ -261,23 +261,21 @@ int SipUdpClientDetector::sipServerPatternAdd(AppId ClientAppId, const char* cli pattern); } -int SipUdpClientDetector::finalize_sip_ua() +void SipUdpClientDetector::finalize() { - const int PATTERN_PART_MAX = 10; - static THREAD_LOCAL tMlmpPattern patterns[PATTERN_PART_MAX]; int num_patterns; DetectorAppSipPattern* patternNode; detector_sip_config.sip_ua_matcher = mlmpCreate(); if ( !detector_sip_config.sip_ua_matcher ) - return -1; + return; detector_sip_config.sip_server_matcher = mlmpCreate(); if ( !detector_sip_config.sip_server_matcher ) { mlmpDestroy((tMlmpTree*)detector_sip_config.sip_ua_matcher); detector_sip_config.sip_ua_matcher = nullptr; - return -1; + return; } for ( patternNode = detector_sip_config.sip_ua_list; patternNode; patternNode = @@ -302,7 +300,6 @@ int SipUdpClientDetector::finalize_sip_ua() mlmpProcessPatterns((tMlmpTree*)detector_sip_config.sip_ua_matcher); mlmpProcessPatterns((tMlmpTree*)detector_sip_config.sip_server_matcher); - return 0; } static int get_sip_client_app(void* patternMatcher, const char* pattern, uint32_t patternLen, @@ -381,10 +378,11 @@ void SipServiceDetector::addFutureRtpFlows(SipEvent& event, AppIdSession& asd) while ( media_a && media_b ) { + DEBUG_WRAP( snort::SfIpString ip_str; ) DebugFormat(DEBUG_SIP, "Adding future channels Source IP: %s Port: %hu\n", - media_a->get_address()->ntoa(), media_a->get_port()); + media_a->get_address()->ntop(ip_str), media_a->get_port()); DebugFormat(DEBUG_SIP, "Adding future channels Destine IP: %s Port: %hu\n", - media_b->get_address()->ntoa(), media_b->get_port()); + media_b->get_address()->ntop(ip_str), media_b->get_port()); createRtpFlow(asd, event.get_packet(), media_a->get_address(), media_a->get_port(), media_b->get_address(), media_b->get_port(), IpProtocol::UDP, APP_ID_RTP); diff --git a/src/network_inspectors/appid/detector_plugins/detector_sip.h b/src/network_inspectors/appid/detector_plugins/detector_sip.h index 6c51e8f23..643f09953 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_sip.h +++ b/src/network_inspectors/appid/detector_plugins/detector_sip.h @@ -57,9 +57,15 @@ public: int validate(AppIdDiscoveryArgs&) override; + void finalize() override; + + // FIXIT-L revisit init so it's not split between static methods and constructor static int sipUaPatternAdd(AppId, const char* clientVersion, const char* uaPattern); static int sipServerPatternAdd(AppId, const char* clientVersion, const char* uaPattern); - static int finalize_sip_ua(); + +private: + static const int PATTERN_PART_MAX = 10; + tMlmpPattern patterns[PATTERN_PART_MAX]; }; class SipTcpClientDetector : public ClientDetector diff --git a/src/network_inspectors/arp_spoof/arp_spoof.cc b/src/network_inspectors/arp_spoof/arp_spoof.cc index f9f9bc0fb..cee342373 100644 --- a/src/network_inspectors/arp_spoof/arp_spoof.cc +++ b/src/network_inspectors/arp_spoof/arp_spoof.cc @@ -117,7 +117,8 @@ static void PrintIPMacEntryList(IPMacEntryList& ipmel) { SfIp in; in.set(&p.ipv4_addr, AF_INET); - LogMessage(" %s -> ", in.ntoa()); + SfIpString ip_str; + LogMessage(" %s -> ", in.ntop(ip_str)); for (int i = 0; i < 6; i++) { diff --git a/src/network_inspectors/port_scan/ipobj.cc b/src/network_inspectors/port_scan/ipobj.cc index d2e483787..0c42c2bc8 100644 --- a/src/network_inspectors/port_scan/ipobj.cc +++ b/src/network_inspectors/port_scan/ipobj.cc @@ -167,7 +167,8 @@ int ipset_print(IPSET* ipc) p!=nullptr; p =(IP_PORT*)sflist_next(&cur_ip) ) { - printf("CIDR BLOCK: %c%s", p->notflag ? '!' : ' ', p->ip.get_addr()->ntoa()); + SfIpString ip_str; + printf("CIDR BLOCK: %c%s", p->notflag ? '!' : ' ', p->ip.get_addr()->ntop(ip_str)); SF_LNODE* cur_port; for ( PORTRANGE* pr=(PORTRANGE*)sflist_first(&p->portset.port_list, &cur_port); diff --git a/src/network_inspectors/port_scan/port_scan.cc b/src/network_inspectors/port_scan/port_scan.cc index 80a0cf461..0ed7f93ec 100644 --- a/src/network_inspectors/port_scan/port_scan.cc +++ b/src/network_inspectors/port_scan/port_scan.cc @@ -100,13 +100,13 @@ static void make_open_port_info(Packet* p, PS_PROTO* proto) static void make_open_port_info(Packet* p, uint16_t port) { DataBuffer& buf = DetectionEngine::get_alt_buffer(p); - - const char* addr = p->ptrs.ip_api.get_src()->ntoa(); + + SfIpString ip_str; buf.len = safe_snprintf((char*)buf.data, sizeof(buf.data), "Scanned IP: %s\n" "Open Port: %hu\n", - addr, port); + p->ptrs.ip_api.get_src()->ntop(ip_str), port); } static void PortscanAlertTcp(Packet* p, PS_PROTO* proto) @@ -303,9 +303,10 @@ static void PortscanAlert(PS_PKT* ps_pkt, PS_PROTO* proto, int proto_type) static void PrintIPPortSet(IP_PORT* p) { - char ip_str[80], output_str[80]; + char output_str[80]; - SnortSnprintf(ip_str, sizeof(ip_str), "%s", p->ip.get_addr()->ntoa()); + SfIpString ip_str; + p->ip.get_addr()->ntop(ip_str); if (p->notflag) SnortSnprintf(output_str, sizeof(output_str), " !%s", ip_str); diff --git a/src/network_inspectors/reputation/reputation_inspect.cc b/src/network_inspectors/reputation/reputation_inspect.cc index 46267d3b8..b5ac7a9bf 100644 --- a/src/network_inspectors/reputation/reputation_inspect.cc +++ b/src/network_inspectors/reputation/reputation_inspect.cc @@ -158,7 +158,8 @@ static inline IPrepInfo* ReputationLookup(ReputationConfig* config, const SfIp* { IPrepInfo* result; - DEBUG_WRAP(DebugFormat(DEBUG_REPUTATION, "Lookup address: %s \n", ip->ntoa() ); ); + DEBUG_WRAP( SfIpString ip_str; ) + DebugFormat(DEBUG_REPUTATION, "Lookup address: %s \n", ip->ntop(ip_str)); if (!config->scanlocal) { if (ip->is_private() ) diff --git a/src/network_inspectors/reputation/reputation_parse.cc b/src/network_inspectors/reputation/reputation_parse.cc index 867f66ef7..29491a1c7 100644 --- a/src/network_inspectors/reputation/reputation_parse.cc +++ b/src/network_inspectors/reputation/reputation_parse.cc @@ -322,12 +322,14 @@ static int AddIPtoList(snort::SfCidr* ipAddr,INFO ipInfo_ptr, ReputationConfig* #ifdef DEBUG_MSGS if (nullptr != sfrt_flat_lookup(ipAddr->get_addr(), config->iplist)) { - DebugFormat(DEBUG_REPUTATION, "Find address before insert: %s\n", ipAddr->ntoa() ); + snort::SfIpString ip_str; + DebugFormat(DEBUG_REPUTATION, "Find address before insert: %s\n", ipAddr->ntop(ip_str) ); } else { + snort::SfIpString ip_str; DebugFormat(DEBUG_REPUTATION, - "Can't find address before insert: %s\n", ipAddr->ntoa() ); + "Can't find address before insert: %s\n", ipAddr->ntop(ip_str) ); } #endif @@ -353,7 +355,8 @@ static int AddIPtoList(snort::SfCidr* ipAddr,INFO ipInfo_ptr, ReputationConfig* result = (IPrepInfo*)sfrt_flat_lookup(ipAddr->get_addr(), config->iplist); if (nullptr != result) { - DebugFormat(DEBUG_REPUTATION, "Find address after insert: %s \n", ipAddr->ntoa() ); + snort::SfIpString ip_str; + DebugFormat(DEBUG_REPUTATION, "Find address after insert: %s \n", ipAddr->ntop(ip_str) ); DEBUG_WRAP(ReputationPrintRepInfo(result, (uint8_t*)config->iplist); ); } #endif @@ -362,14 +365,16 @@ static int AddIPtoList(snort::SfCidr* ipAddr,INFO ipInfo_ptr, ReputationConfig* else if (MEM_ALLOC_FAILURE == iRet) { iFinalRet = IP_MEM_ALLOC_FAILURE; + snort::SfIpString ip_str; DEBUG_WRAP(DebugFormat(DEBUG_REPUTATION, "Insert error: %d for address: %s \n",iRet, - ipAddr->ntoa() ); ); + ipAddr->ntop(ip_str) ); ); } else { iFinalRet = IP_INSERT_FAILURE; + snort::SfIpString ip_str; DEBUG_WRAP(DebugFormat(DEBUG_REPUTATION, "Insert error: %d for address: %s \n",iRet, - ipAddr->ntoa() ); ); + ipAddr->ntop(ip_str) ); ); } usageAfterAdd = sfrt_flat_usage(config->iplist); diff --git a/src/packet_io/intf.cc b/src/packet_io/intf.cc index 674717875..14e097743 100644 --- a/src/packet_io/intf.cc +++ b/src/packet_io/intf.cc @@ -59,7 +59,9 @@ void PrintAllInterfaces() { snort::SfIp dev_ip; dev_ip.set(&saddr->sin_addr, saddr->sin_family); - printf("\t%s", dev_ip.ntoa()); + + snort::SfIpString ip; + printf("\t%s", dev_ip.ntop(ip)); } else printf("\tdisabled"); diff --git a/src/protocols/packet_manager.cc b/src/protocols/packet_manager.cc index 8f1d85bb3..18e5859ca 100644 --- a/src/protocols/packet_manager.cc +++ b/src/protocols/packet_manager.cc @@ -68,7 +68,17 @@ const std::array PacketManager::stat_na // Encoder Foo static THREAD_LOCAL PegCount total_rebuilt_pkts = 0; -static THREAD_LOCAL std::array s_pkt { { 0 } }; +static THREAD_LOCAL std::array* s_pkt; + +void PacketManager::thread_init() +{ + s_pkt = new std::array{ {0} }; +} + +void PacketManager::thread_term() +{ + delete s_pkt; +} //------------------------------------------------------------------------- // Private helper functions @@ -418,7 +428,7 @@ const uint8_t* PacketManager::encode_response( TcpResponse type, EncodeFlags flags, const Packet* p, uint32_t& len, const uint8_t* const payload, uint32_t payload_len) { - Buffer buf(s_pkt.data(), s_pkt.size()); + Buffer buf(s_pkt->data(), s_pkt->size()); switch (type) { @@ -465,7 +475,7 @@ const uint8_t* PacketManager::encode_response( const uint8_t* PacketManager::encode_reject(UnreachResponse type, EncodeFlags flags, const Packet* p, uint32_t& len) { - Buffer buf(s_pkt.data(), s_pkt.size()); + Buffer buf(s_pkt->data(), s_pkt->size()); if (p->is_ip4()) { diff --git a/src/protocols/packet_manager.h b/src/protocols/packet_manager.h index eae0c2160..ae97321d7 100644 --- a/src/protocols/packet_manager.h +++ b/src/protocols/packet_manager.h @@ -57,6 +57,9 @@ enum class UnreachResponse class SO_PUBLIC PacketManager { public: + static void thread_init(); + static void thread_term(); + // decode this packet and set all relevant packet fields. static void decode(Packet*, const struct _daq_pkthdr*, const uint8_t*, bool cooked = false); diff --git a/src/service_inspectors/sip/sip_dialog.cc b/src/service_inspectors/sip/sip_dialog.cc index 7082be9c8..a34990544 100644 --- a/src/service_inspectors/sip/sip_dialog.cc +++ b/src/service_inspectors/sip/sip_dialog.cc @@ -386,7 +386,6 @@ static int SIP_ignoreChannels(SIP_DialogData* dialog, Packet* p, SIP_PROTO_CONF* while ((nullptr != mdataA)&&(nullptr != mdataB)) { //void *ssn; - /* Call into Streams to mark data channel as something to ignore. */ Flow* ssn = Stream::get_flow( PktType::UDP, IpProtocol::UDP, &mdataA->maddress, diff --git a/src/sfip/sf_cidr.h b/src/sfip/sf_cidr.h index 7f5ceb631..f4208c773 100644 --- a/src/sfip/sf_cidr.h +++ b/src/sfip/sf_cidr.h @@ -57,7 +57,7 @@ struct SO_PUBLIC SfCidr bool fast_cont6(const SfIp& ip) const; SfIpRet contains(const SfIp* ip) const; - const char* ntoa() const; + const char* ntop(SfIpString) const; SfIpRet compare(const SfCidr&) const; private: @@ -161,9 +161,9 @@ inline bool SfCidr::fast_cont6(const SfIp& ip) const return ntohl(addr.get_ip6_ptr()[i]) == needle; } -inline const char* SfCidr::ntoa() const +inline const char* SfCidr::ntop(SfIpString ip_str) const { - return addr.ntoa(); + return addr.ntop(ip_str); } inline SfIpRet SfCidr::compare(const SfCidr& cidr2) const diff --git a/src/sfip/sf_ip.cc b/src/sfip/sf_ip.cc index 2a758bee3..9143add44 100644 --- a/src/sfip/sf_ip.cc +++ b/src/sfip/sf_ip.cc @@ -383,14 +383,9 @@ const char* SfIp::ntop(char* buf, int bufsize) const return snort_inet_ntop(family, get_ptr(), buf, bufsize); } -/* Uses a static buffer to return a string representation of the IP */ -const char* SfIp::ntoa() const +const char* SfIp::ntop(SfIpString str) const { - static THREAD_LOCAL char buf[INET6_ADDRSTRLEN]; - - ntop(buf, sizeof(buf)); - - return buf; + return snort_inet_ntop(family, get_ptr(), str, sizeof(SfIpString)); } bool SfIp::is_mapped() const diff --git a/src/sfip/sf_ip.h b/src/sfip/sf_ip.h index 45928dea8..714abc380 100644 --- a/src/sfip/sf_ip.h +++ b/src/sfip/sf_ip.h @@ -32,8 +32,9 @@ namespace snort { -struct SfCidr; +using SfIpString = char[INET6_ADDRSTRLEN]; +struct SfCidr; struct SO_PUBLIC SfIp { /* @@ -87,7 +88,7 @@ struct SO_PUBLIC SfIp bool is_private() const; const char* ntop(char* buf, int bufsize) const; - const char* ntoa() const; + const char* ntop(SfIpString) const; void obfuscate(SfCidr* ob); @@ -461,10 +462,8 @@ SO_PUBLIC const char* sfip_ntop(const SfIp* ip, char* buf, int bufsize); inline std::ostream& operator<<(std::ostream& os, const SfIp* addr) { - char str[INET6_ADDRSTRLEN]; - sfip_ntop(addr, str, sizeof(str)); - os << str; - return os; + SfIpString str; + return os << addr->ntop(str); } // FIXIT-L X This should be in utils_net if anywhere, but that makes it way harder to link into unit tests diff --git a/src/sfip/sf_ipvar.cc b/src/sfip/sf_ipvar.cc index 2903f098b..e160ac4d3 100644 --- a/src/sfip/sf_ipvar.cc +++ b/src/sfip/sf_ipvar.cc @@ -1096,9 +1096,15 @@ static void print_var_list(sfip_node_t* var_list, bool print_bits = false) if (p->flags & SFIP_ANY) n += safe_snprintf(sfipvar_test_buff+n, SFIPVAR_TEST_BUFF_LEN - n, "any"); else if (p->flags & SFIP_NEGATED) - n += safe_snprintf(sfipvar_test_buff+n, SFIPVAR_TEST_BUFF_LEN - n, "!%s",p->ip->ntoa()); + { + SfIpString ip_str; + n += safe_snprintf(sfipvar_test_buff+n, SFIPVAR_TEST_BUFF_LEN - n, "!%s",p->ip->ntop(ip_str)); + } else - n += safe_snprintf(sfipvar_test_buff+n, SFIPVAR_TEST_BUFF_LEN - n, "%s", p->ip->ntoa()); + { + SfIpString ip_str; + n += safe_snprintf(sfipvar_test_buff+n, SFIPVAR_TEST_BUFF_LEN - n, "%s", p->ip->ntop(ip_str)); + } if (print_bits and !(p->flags & SFIP_ANY)) n += safe_snprintf(sfipvar_test_buff+n, SFIPVAR_TEST_BUFF_LEN - n, "/%d", diff --git a/src/sfrt/sfrt_test.cc b/src/sfrt/sfrt_test.cc index 7ae86eb6a..a405bd5ce 100644 --- a/src/sfrt/sfrt_test.cc +++ b/src/sfrt/sfrt_test.cc @@ -96,14 +96,16 @@ static void test_sfrt_remove_after_insert() if ( s_debug ) { - printf("Insert IP addr: %s, family: %d\n", ip.get_addr()->ntoa(), ip.get_family()); + SfIpString ip_str; + printf("Insert IP addr: %s, family: %d\n", ip.get_addr()->ntop(ip_str), ip.get_family()); } CHECK(sfrt_insert(&ip, ip.get_bits(), &(ip_entry->value), RT_FAVOR_TIME, dir) == RT_SUCCESS); // "sfrt_insert()" if ( s_debug ) { - printf("Lookup IP addr: %s, family: %d\n", ip2.ntoa(), ip2.get_family()); + SfIpString ip_str; + printf("Lookup IP addr: %s, family: %d\n", ip2.ntop(ip_str), ip2.get_family()); } result = (int*)sfrt_lookup(&ip2, dir); if ( s_debug ) @@ -118,7 +120,8 @@ static void test_sfrt_remove_after_insert() if ( s_debug ) { - printf("IP addr: %s, family: %d\n", ip.get_addr()->ntoa(), ip.get_family()); + SfIpString ip_str; + printf("IP addr: %s, family: %d\n", ip.get_addr()->ntop(ip_str), ip.get_family()); printf("value input: %d, output: %d\n", ip_entry->value, *result); } diff --git a/src/stream/ip/ip_defrag.cc b/src/stream/ip/ip_defrag.cc index c10fa9c6a..c18a687c3 100644 --- a/src/stream/ip/ip_defrag.cc +++ b/src/stream/ip/ip_defrag.cc @@ -116,20 +116,53 @@ using namespace snort; /* D A T A S T R U C T U R E S **********************************/ + struct Fragment { - uint8_t* data; /* ptr to adjusted start position */ - uint16_t size; /* adjusted frag size */ - uint16_t offset; /* adjusted offset position */ + Fragment(uint16_t flen, const uint8_t* fptr, int ord) + { init(flen, fptr, ord); } + + Fragment(Fragment* other, int ord) + { + init(other->flen, other->fptr, ord); + data = fptr + (other->data - other->fptr); + size = other->size; + offset = other->offset; + last = other->last; + } + + ~Fragment() + { + if ( fptr ) + delete fptr; + + ip_stats.nodes_released++; + } + + uint8_t* data = nullptr; /* ptr to adjusted start position */ + uint16_t size = 0; /* adjusted frag size */ + uint16_t offset = 0; /* adjusted offset position */ - uint8_t* fptr; /* free pointer */ - uint16_t flen; /* free len, unneeded? */ + uint8_t* fptr = nullptr; /* free pointer */ + uint16_t flen = 0; /* free len, unneeded? */ - Fragment* prev; - Fragment* next; + Fragment* prev = nullptr; + Fragment* next = nullptr; - int ord; - char last; + int ord = 0; + char last = 0; + +private: + inline void init(uint16_t flen, const uint8_t* fptr, int ord) + { + this->flen = flen; + this->fptr = new uint8_t[flen]; + this->ord = ord; + + memcpy(this->fptr, fptr, flen); + + ip_stats.nodes_created++; + } }; /* G L O B A L S **************************************************/ @@ -147,9 +180,6 @@ static const char* const frag_policy_names[] = "SOLARIS" }; -// FIXIT-M convert to session memcap -static THREAD_LOCAL unsigned long mem_in_use = 0; /* memory in use, used for self pres */ - THREAD_LOCAL ProfileStats fragPerfStats; THREAD_LOCAL ProfileStats fragInsertPerfStats; THREAD_LOCAL ProfileStats fragRebuildPerfStats; @@ -765,21 +795,6 @@ static inline void add_node(FragTracker* ft, Fragment* prev, Fragment* node) ft->fraglist_count++; } -static void delete_frag(Fragment* frag) -{ - /* - * delete the fragment either in prealloc or dynamic mode - */ - snort_free(frag->fptr); - mem_in_use -= frag->flen; - - snort_free(frag); - mem_in_use -= sizeof(Fragment); - - ip_stats.mem_in_use = mem_in_use; - ip_stats.nodes_released++; -} - static inline void delete_node(FragTracker* ft, Fragment* node) { trace_logf(stream_ip, "Deleting list node %p (p %p n %p)\n", @@ -803,7 +818,7 @@ static inline void delete_node(FragTracker* ft, Fragment* node) ft->fraglist_tail = node->prev; } - delete_frag(node); + delete node; ft->fraglist_count--; } @@ -825,7 +840,7 @@ static void delete_tracker(FragTracker* ft) { dump_me = idx; idx = idx->next; - delete_frag(dump_me); + delete dump_me; } ft->fraglist = nullptr; if (ft->ip_options_data) @@ -1844,34 +1859,16 @@ int Defrag::new_tracker(Packet* p, FragTracker* ft) ft->frag_policy = p->flow->ssn_policy ? p->flow->ssn_policy : engine.frag_policy; ft->engine = &engine; - /* - * get our first fragment storage struct - */ - { - f = (Fragment*)snort_calloc(sizeof(Fragment)); - mem_in_use += sizeof(Fragment); - - f->fptr = (uint8_t*)snort_calloc(fragLength); - mem_in_use += fragLength; - - ip_stats.mem_in_use = mem_in_use; - } - - ip_stats.nodes_created++; - /* initialize the fragment list */ ft->fraglist = nullptr; - /* - * setup the Fragment struct with the current packet's data - */ - memcpy(f->fptr, fragStart, fragLength); + f = new Fragment(fragLength, fragStart, ft->ordinal++); - f->size = f->flen = fragLength; + f->size = fragLength; f->offset = frag_off; - frag_end = f->offset + fragLength; - f->ord = ft->ordinal++; f->data = f->fptr; /* ptr to adjusted start position */ + + frag_end = f->offset + fragLength; if (!(p->ptrs.decode_flags & DECODE_MF)) { f->last = 1; @@ -1984,30 +1981,7 @@ int Defrag::add_frag_node( return FRAG_INSERT_ANOMALY; } - /* - * grab/generate a new frag node - */ - { - /* - * build a frag struct to track this particular fragment - */ - newfrag = (Fragment*)snort_calloc(sizeof(Fragment)); - mem_in_use += sizeof(Fragment); - - /* - * allocate some space to hold the actual data - */ - newfrag->fptr = (uint8_t*)snort_calloc(fragLength); - mem_in_use += fragLength; - - ip_stats.mem_in_use = mem_in_use; - } - - ip_stats.nodes_created++; - - newfrag->flen = fragLength; - memcpy(newfrag->fptr, fragStart, fragLength); - newfrag->ord = ft->ordinal++; + newfrag = new Fragment(fragLength, fragStart, ft->ordinal++); /* * twiddle the frag values for overlaps @@ -2060,43 +2034,8 @@ int Defrag::add_frag_node( */ int Defrag::dup_frag_node( FragTracker* ft, Fragment* left, Fragment** retFrag) { - Fragment* newfrag = nullptr; /* new frag container */ + Fragment* newfrag = new Fragment(left, ft->ordinal++); - /* - * grab/generate a new frag node - */ - { - /* - * build a frag struct to track this particular fragment - */ - newfrag = (Fragment*)snort_calloc(sizeof(Fragment)); - mem_in_use += sizeof(Fragment); - - /* - * allocate some space to hold the actual data - */ - newfrag->fptr = (uint8_t*)snort_calloc(left->flen); - mem_in_use += left->flen; - - ip_stats.mem_in_use = mem_in_use; - } - - ip_stats.nodes_created++; - - newfrag->ord = ft->ordinal++; - /* - * twiddle the frag values for overlaps - */ - newfrag->flen = left->flen; - memcpy(newfrag->fptr, left->fptr, newfrag->flen); - newfrag->data = newfrag->fptr + (left->data - left->fptr); - newfrag->size = left->size; - newfrag->offset = left->offset; - newfrag->last = left->last; - - /* - * insert the new frag into the list - */ add_node(ft, left, newfrag); trace_logf(stream_ip, diff --git a/src/stream/ip/ip_module.h b/src/stream/ip/ip_module.h index c8afd3e2a..b82370eb4 100644 --- a/src/stream/ip/ip_module.h +++ b/src/stream/ip/ip_module.h @@ -76,7 +76,6 @@ struct IpStats PegCount trackers_completed;// iFragComplete PegCount nodes_created; // iFragInserts tracked a similar stat (# calls to insert) PegCount nodes_released; - PegCount mem_in_use; // frag_mem_in_use PegCount reassembled_bytes; // total_ipreassembled_bytes PegCount fragmented_bytes; // total_ipfragmented_bytes }; diff --git a/src/stream/ip/ip_session.cc b/src/stream/ip/ip_session.cc index f07ce2259..44792435f 100644 --- a/src/stream/ip/ip_session.cc +++ b/src/stream/ip/ip_session.cc @@ -51,7 +51,6 @@ const PegInfo ip_pegs[] = { CountType::SUM, "trackers_completed", "datagram trackers completed" }, { CountType::SUM, "nodes_inserted", "fragments added to tracker" }, { CountType::SUM, "nodes_deleted", "fragments deleted from tracker" }, - { CountType::NOW, "memory_used", "current memory usage in bytes" }, { CountType::SUM, "reassembled_bytes", "total reassembled bytes" }, { CountType::SUM, "fragmented_bytes", "total fragmented bytes" }, { CountType::END, nullptr, nullptr } diff --git a/src/target_based/sftarget_reader.cc b/src/target_based/sftarget_reader.cc index 38707daf3..4418a4df6 100644 --- a/src/target_based/sftarget_reader.cc +++ b/src/target_based/sftarget_reader.cc @@ -190,8 +190,9 @@ static void PrintHostAttributeEntry(HostAttributeEntry* host) if (!host) return; + SfIpString ip_str; DebugFormat(DEBUG_ATTRIBUTE, "Host IP: %s/%d\n", - host->ipAddr.ntoa(), + host->ipAddr.ntop(ip_str), host->ipAddr.get_bits()); DebugFormat(DEBUG_ATTRIBUTE, diff --git a/src/utils/util_jsnorm.cc b/src/utils/util_jsnorm.cc index 93ebdb16e..21f99c55d 100644 --- a/src/utils/util_jsnorm.cc +++ b/src/utils/util_jsnorm.cc @@ -48,7 +48,7 @@ #define ANY '\0' -typedef enum +enum ActionPNorm { PNORM_ACT_DQUOTES, PNORM_ACT_NOP, @@ -56,10 +56,10 @@ typedef enum PNORM_ACT_SPACE, PNORM_ACT_SQUOTES, PNORM_ACT_WITHIN_QUOTES -} ActionPNorm; +}; // Actions for SFCC -typedef enum +enum ActionSFCC { SFCC_ACT_COMMA, SFCC_ACT_DEC, @@ -69,10 +69,10 @@ typedef enum SFCC_ACT_OCT, SFCC_ACT_QUIT, SFCC_ACT_SPACE -} ActionSFCC; +}; // Actions for Unescape -typedef enum +enum ActionUnsc { UNESC_ACT_BACKSLASH, UNESC_ACT_CONV, @@ -86,10 +86,10 @@ typedef enum UNESC_ACT_UBACKSLASH, UNESC_ACT_UPERCENT, UNESC_ACT_UNESCAPE -} ActionUnsc; +}; // Actions for Javascript norm -typedef enum +enum ActionJSNorm { ACT_NOP, ACT_QUIT, @@ -97,7 +97,7 @@ typedef enum ACT_SFCC, ACT_SPACE, ACT_UNESCAPE -} ActionJSNorm; +}; static const int hex_lookup[256] = { @@ -167,25 +167,23 @@ static const int valid_chars[256] = 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; -static THREAD_LOCAL char decoded_out[65535]; - -typedef struct +struct JSNorm { uint8_t state; uint8_t event; uint8_t match; uint8_t other; uint8_t action; -} JSNorm; +}; -typedef struct +struct Dbuf { char* data; uint16_t size; uint16_t len; -}Dbuf; +}; -typedef struct +struct PNormState { uint8_t fsm; uint8_t fsm_other; @@ -195,9 +193,9 @@ typedef struct uint16_t num_spaces; char* overwrite; Dbuf output; -}PNormState; +}; -typedef struct +struct SFCCState { uint8_t fsm; uint8_t buf[MAX_BUF]; @@ -205,9 +203,9 @@ typedef struct uint16_t cur_flags; uint16_t alert_flags; Dbuf output; -} SFCCState; +}; -typedef struct +struct JSNormState { uint8_t fsm; uint8_t prev_event; @@ -215,9 +213,9 @@ typedef struct uint8_t* unicode_map; char* overwrite; Dbuf dest; -} JSNormState; +}; -typedef struct +struct UnescapeState { uint8_t fsm; uint8_t multiple_levels; @@ -230,7 +228,7 @@ typedef struct char* overwrite; ActionUnsc prev_action; Dbuf output; -} UnescapeState; +}; // STATES for SFCC #define S0 0 @@ -440,7 +438,8 @@ static const JSNorm javascript_norm[] = { Z6+ 0, ANY, Z0+ 0, Z0+ 0, ACT_NOP } }; -static void UnescapeDecode(const char*, uint16_t, const char**, char**, uint16_t*, JSState*, uint8_t*); +static void UnescapeDecode(const char* src, uint16_t srclen, const char** ptr, char** dst, size_t dst_len, + uint16_t* bytes_copied, JSState* js, uint8_t* iis_unicode_map); static inline int outBounds(const char* start, const char* end, const char* ptr) { @@ -797,7 +796,7 @@ static int SFCC_scan_fsm(SFCCState* s, int c) } static void StringFromCharCodeDecode( - const char* src, uint16_t srclen, const char** ptr, char** dst, + const char* src, uint16_t srclen, const char** ptr, char** dst, size_t dst_len, uint16_t* bytes_copied, JSState* js, uint8_t* iis_unicode_map) { const char* start = src; @@ -806,8 +805,8 @@ static void StringFromCharCodeDecode( SFCCState s; s.buflen = 0; s.fsm = 0; - s.output.data = decoded_out; - s.output.size = sizeof(decoded_out); + s.output.data = *dst; + s.output.size = dst_len; s.output.len = 0; s.cur_flags = s.alert_flags = 0; @@ -832,10 +831,9 @@ static void StringFromCharCodeDecode( { js->alerts |= ALERT_MIXED_ENCODINGS; } - UnescapeDecode(s.output.data, s.output.len, (const char**)&(s.output.data), &(s.output.data), - &(s.output.len), js, iis_unicode_map); + UnescapeDecode(s.output.data, s.output.len, (const char**)&(s.output.data), &s.output.data, + s.output.size, &(s.output.len), js, iis_unicode_map); - *dst = s.output.data; *bytes_copied = s.output.len; } @@ -1056,8 +1054,8 @@ static int Unescape_scan_fsm(UnescapeState* s, int c, JSState* js) return(Unescape_exec(s, (ActionUnsc)m->action, c, js)); } -static void UnescapeDecode(const char* src, uint16_t srclen, const char** ptr, char** dst, uint16_t* bytes_copied, - JSState* js, uint8_t* iis_unicode_map) +static void UnescapeDecode(const char* src, uint16_t srclen, const char** ptr, char** dst, size_t dst_len, + uint16_t* bytes_copied, JSState* js, uint8_t* iis_unicode_map) { const char* start = src; const char* end = src + srclen; @@ -1065,8 +1063,8 @@ static void UnescapeDecode(const char* src, uint16_t srclen, const char** ptr, c UnescapeState s; s.iNorm = 0; s.fsm = 0; - s.output.data = decoded_out; - s.output.size = sizeof(decoded_out); + s.output.data = *dst; + s.output.size = dst_len; s.output.len = 0; s.alert_flags = 0; s.prev_event = 0; @@ -1104,7 +1102,6 @@ static void UnescapeDecode(const char* src, uint16_t srclen, const char** ptr, c } PNormDecode(s.output.data, s.output.len, s.output.data, s.output.len, bytes_copied, js); - *dst = s.output.data; //*bytes_copied = s.output.len; } @@ -1160,7 +1157,10 @@ static int JSNorm_exec(JSNormState* s, ActionJSNorm a, int c, const char* src, u char* cur_ptr; int iRet = RET_OK; uint16_t bcopied = 0; - char* dest; + // FIXIT-M this is large for stack. Move elsewhere. + char decoded_out[65535]; + char* dest = decoded_out; + cur_ptr = s->dest.data+ s->dest.len; switch (a) { @@ -1183,7 +1183,7 @@ static int JSNorm_exec(JSNormState* s, ActionJSNorm a, int c, const char* src, u { s->dest.len = s->overwrite - s->dest.data; } - UnescapeDecode(src, srclen, ptr, &dest, &bcopied, js, s->unicode_map); + UnescapeDecode(src, srclen, ptr, &dest, sizeof(decoded_out), &bcopied, js, s->unicode_map); WriteJSNorm(s, dest, bcopied, js); break; case ACT_SFCC: @@ -1191,7 +1191,7 @@ static int JSNorm_exec(JSNormState* s, ActionJSNorm a, int c, const char* src, u { s->dest.len = s->overwrite - s->dest.data; } - StringFromCharCodeDecode(src, srclen, ptr, &dest, &bcopied, js, s->unicode_map); + StringFromCharCodeDecode(src, srclen, ptr, &dest, sizeof(decoded_out), &bcopied, js, s->unicode_map); WriteJSNorm(s, dest, bcopied, js); break; case ACT_QUIT: diff --git a/src/utils/util_jsnorm.h b/src/utils/util_jsnorm.h index c745a5501..7578c123d 100644 --- a/src/utils/util_jsnorm.h +++ b/src/utils/util_jsnorm.h @@ -31,12 +31,12 @@ #define MAX_ALLOWED_OBFUSCATION 1 -typedef struct +struct JSState { int allowed_spaces; int allowed_levels; uint16_t alerts; -} JSState; +}; SO_PUBLIC int JSNormalizeDecode( const char*, uint16_t, char*, uint16_t destlen, const char**, int*, JSState*, uint8_t*); diff --git a/src/utils/util_net.cc b/src/utils/util_net.cc index ee4459766..3cae758fc 100644 --- a/src/utils/util_net.cc +++ b/src/utils/util_net.cc @@ -57,8 +57,8 @@ char* ObfuscateIpToText(const SfIp* ip, SfCidr& homenet, SfCidr& obfunet, InetBu tmp.obfuscate(&obfunet); } - const char* tmp_buf = tmp.ntoa(); - SnortSnprintf(ab, sizeof(ab), "%s", tmp_buf); + SfIpString ip_str; + SnortSnprintf(ab, sizeof(ab), "%s", tmp.ntop(ip_str)); } return ab;