Victor Julien [Thu, 13 Jul 2017 08:04:47 +0000 (10:04 +0200)]
radix: fix risky malloc call
GCC7 said:
CC util-radix-tree.o
In file included from util-debug-filters.h:29:0,
from util-debug.h:34,
from suricata-common.h:421,
from util-radix-tree.c:26:
util-radix-tree.c: In function ‘SCRadixAddKey’:
util-mem.h:177:12: error: argument 1 range [18446744071562067968, 18446744073709551615] exceeds maximum object size 9223372036854775807 [-Werror=alloc-size-larger-than=]
ptrmem = malloc((a)); \
~~~~~~~^~~~~~~~~~~~~
util-radix-tree.c:749:42: note: in expansion of macro ‘SCMalloc’
if ( (inter_node->netmasks = SCMalloc((node->netmask_cnt - i) *
^~~~~~~~
In file included from suricata-common.h:69:0,
from util-radix-tree.c:26:
/usr/include/stdlib.h:443:14: note: in a call to allocation function ‘malloc’ declared here
extern void *malloc (size_t __size) __THROW __attribute_malloc__ __wur;
^~~~~~
scan-build said:
util-radix-tree.c:749:42: warning: Call to 'malloc' has an allocation size of 0 bytes
if ( (inter_node->netmasks = SCMalloc((node->netmask_cnt - i) *
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./util-mem.h:177:14: note: expanded from macro 'SCMalloc'
ptrmem = malloc((a)); \
^~~~~~~~~~~
1 warning generated.
Victor Julien [Thu, 13 Jul 2017 07:57:40 +0000 (09:57 +0200)]
gcc7: fix format-truncation warnings in runmodes
Example:
util-runmodes.c: In function ‘RunModeSetIPSAutoFp’:
util-runmodes.c:496:40: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=]
snprintf(qname, sizeof(qname), "pickup%d", thread+1);
^~~~~~~~~~
util-runmodes.c:496:9: note: ‘snprintf’ output between 8 and 17 bytes into a destination of size16
snprintf(qname, sizeof(qname), "pickup%d", thread+1);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solved by reducing 'thread' to a uint16_t and limiting the max
thread count to 1024.
Victor Julien [Tue, 27 Jun 2017 13:07:40 +0000 (15:07 +0200)]
pcap: fix linktype raw issues
On OpenBSD 6.0 and 6.1 the following pcap gets a datalink type of
101 instead of our defined DLT_RAW.
File type: Wireshark/tcpdump/... - pcap
File encapsulation: Raw IP
File timestamp precision: microseconds (6)
Packet size limit: file hdr: 262144 bytes
Number of packets: 23
File size: 11 kB
Data size: 11 kB
Capture duration: 7,424945 seconds
First packet time: 2017-05-25 21:59:31,957953
Last packet time: 2017-05-25 21:59:39,382898
Data byte rate: 1536 bytes/s
Data bit rate: 12 kbps
Average packet size: 496,00 bytes
Average packet rate: 3 packets/s
SHA1: 120cff9878b93ac74b68fb9216027bef3b3c018f
RIPEMD160: 35fa287bf30d8be8b8654abfe26e8d3883262e8e
MD5: 13fe4bc50fe09bdd38f07739bd1ff0f0
Strict time order: True
Number of interfaces in file: 1
Interface #0 info:
Encapsulation = Raw IP (7/101 - rawip)
Capture length = 262144
Time precision = microseconds (6)
Time ticks per second = 1000000
Number of stat entries = 0
Number of packets = 23
On Linux it is 12.
On the tcpdump/libpcap site the DLT_RAW is defined as 101:
http://www.tcpdump.org/linktypes.html
Strangely, on OpenBSD the DLT_RAW macro is defined as 14 as expected.
So for some reason, libpcap on OpenBSD uses 101 which seems to match
the tcpdump/libpcap documentation.
So this patch adds support for datalink 101 as RAW.
Jason Ish [Mon, 26 Jun 2017 17:04:46 +0000 (11:04 -0600)]
log: wrap rotation and write in lock
The application log is subject to rotation, so the check for
rotation, the actual rotation and write needs to be done under
lock to ensure the file pointer is in a consisten state
at the time of write().
Victor Julien [Wed, 5 Apr 2017 19:19:33 +0000 (15:19 -0400)]
modbus: fix compiler warnings about alignment
app-layer-modbus.c:1226:39: warning: taking address of packed member 'transactionId' of class or structure 'ModbusHeader_' may result in an unaligned pointer value [-Waddress-of-packed-member]
if (ModbusExtractUint16(modbus, &(header->transactionId), input, input_len, &offset) ||
^~~~~~~~~~~~~~~~~~~~~
app-layer-modbus.c:1228:39: warning: taking address of packed member 'protocolId' of class or structure 'ModbusHeader_' may result in an unaligned pointer value [-Waddress-of-packed-member]
ModbusExtractUint16(modbus, &(header->protocolId), input, input_len, &offset) ||
^~~~~~~~~~~~~~~~~~
app-layer-modbus.c:1230:39: warning: taking address of packed member 'length' of class or structure 'ModbusHeader_' may result in an unaligned pointer value [-Waddress-of-packed-member]
ModbusExtractUint16(modbus, &(header->length), input, input_len, &offset) ||
^~~~~~~~~~~~~~
3 warnings generated.
Victor Julien [Wed, 5 Apr 2017 13:13:17 +0000 (15:13 +0200)]
pool: fix compiler warning
clang-4.0 reported:
util-pool.c:242:13: warning: logical not is only applied to the left hand side of this bitwise operator [-Wlogical-not-parentheses]
if (! pb->flags & POOL_BUCKET_PREALLOCATED) {
^ ~
util-pool.c:242:13: note: add parentheses after the '!' to evaluate the bitwise operator first
if (! pb->flags & POOL_BUCKET_PREALLOCATED) {
^
( )
util-pool.c:242:13: note: add parentheses around left hand side expression to silence this warning
if (! pb->flags & POOL_BUCKET_PREALLOCATED) {
^
( )
util-pool.c:261:13: warning: logical not is only applied to the left hand side of this bitwise operator [-Wlogical-not-parentheses]
if (! pb->flags & POOL_BUCKET_PREALLOCATED) {
^ ~
util-pool.c:261:13: note: add parentheses after the '!' to evaluate the bitwise operator first
if (! pb->flags & POOL_BUCKET_PREALLOCATED) {
^
( )
util-pool.c:261:13: note: add parentheses around left hand side expression to silence this warning
if (! pb->flags & POOL_BUCKET_PREALLOCATED) {
^
( )
2 warnings generated.
Victor Julien [Wed, 29 Mar 2017 09:15:51 +0000 (11:15 +0200)]
http: fix body tracking corner case
In some cases, observed with inspect limits 0, the body tracking could
get confused. When all chunks were already freed, a new chunk would
be considered to be the start of the body. This would overwrite the
bodies 'content_len_so_far' tracker, instead of adding to it. This in
turn could lead to a assertion abort in the inspection code.
This patch redoes the append code to always add the current lenght. It
cleans up the code to remove redundant logic.
Victor Julien [Mon, 6 Mar 2017 09:54:57 +0000 (10:54 +0100)]
bytejump: don't print errors when matching
When bytejump was told to convert some payload data to int from a
string it would print an error to the screen if the conversion
failed. This is unwanted as the payload is controlled by an attacker
and printing is expensive.
Victor Julien [Sun, 26 Feb 2017 18:56:38 +0000 (19:56 +0100)]
app-layer: fix gap handling in protocol detection
A GAP during protocol detection would lead to all reassembly
getting disabled, so also the raw reassembly. In addition, it
could prevent the opposing side from doing protocol detection.
This patch remove the 'disable reassembly' logic. Stream engine
will take the stream with GAP and app-layer will make the proto
detection as complete.
One approach to fixing this issue to just validate the
checksum instead of regenerating it and comparing it. This
method is used in some kernels and other network tools.
When validating, the current checksum is passed in as an
initial argument which will cause the final checksum to be 0
if OK. If generating a checksum, 0 is passed and the result
is the generated checksum.
Jason Ish [Fri, 24 Mar 2017 19:59:39 +0000 (13:59 -0600)]
travis: macos: unlink all deps, then relink
Kind of ugly, but first unlink all dependencies then install.
The deps that don't get an upgrade will remain unlinked, so
relink all dependencies as relinking an already linked dep
does not error out.
Jason Ish [Fri, 17 Mar 2017 17:11:07 +0000 (11:11 -0600)]
travis: fix libpcre in mac builds
It looks like Travis changed their Mac image and pcre is now
installed by default. In case it gets removed again, just unlink
it before re-installing so it doesn't fail on install.
Jason Ish [Sun, 5 Feb 2017 13:57:54 +0000 (07:57 -0600)]
defrag - take protocol into account during re-assembly
The IP protocol was not being used to match fragments with
their packets allowing a carefully constructed packet
with a different protocol to be matched, allowing re-assembly
to complete, creating a packet that would not be re-assembled
by the destination host.
Victor Julien [Thu, 9 Feb 2017 17:22:18 +0000 (18:22 +0100)]
afl: improve packet fuzz testing
Due to the use of AFL_LOOP and initialization/deinit outside of it,
part of the fuzzing relied on the global 'state' in flow and defrag.
Because of this crashes that were found could not be reproduced. The
saved crash input was only the last in the series.
This patch addresses that. It requires a new output directory 'dump'
where the packet fuzzers will store all their input. If the AFL_LOOP
fails the files will not be removed and this 'serie' can be read
again for reproducing the issue.
e.g.: AFL would work with:
--afl-decoder-ppp=@@
and after a crash is found the produced serie can be read with:
--afl-decoder-ppp-serie=1486656919-514163
The series have a timestamp as name and a suffix that controls the
order in which the files will be 'replayed' in Suricata.
The size of a memory buffer to be allocated was kept in a signed int
instead of a size_t, leading to an overflow when large lists of long
and diverse patterns cause the amount of AC states to blow up (>2GB).
Fixes Redmine issues #1827 and #1843.
Victor Julien [Wed, 8 Feb 2017 12:55:34 +0000 (13:55 +0100)]
detect: don't run IP inspection on non-IP packets
The code to get the rule group (sgh) would return the group for
IP proto 0 instead of nothing. This lead to certain types of rules
unintentionally matching (False Positive).
Since the packets weren't actually IP, the logged alert records
were missing the IP header.
Eric Leblond [Tue, 1 Nov 2016 21:09:31 +0000 (22:09 +0100)]
af-packet: add VLAN header when needed in IPS mode
When packet is coming from a real ethernet card, the kernel is
stripping the vlan header and delivering a modified packet so
we need to insert the VLAN header back before sending the packet
on the wire.
To do so, we pass an option to the raw socket to add a reserve
before the packet data. It will get Suricata some head room to
to move the ethernet addresses before there actual place and
and insert the VLAN header in the correct place.
We get VLAN info from the ring buffer as the call of AFPWrite is
always done in the release function so we still have access to the
memory.
Jason Ish [Tue, 31 Jan 2017 18:32:18 +0000 (12:32 -0600)]
dns-log: log requests even when there is no response
The JSON logger had already been updated to handle
transactions without a response. Apply the same logic
to the older dns-log where a logger is registered
for each direction.
Andreas Herz [Tue, 29 Nov 2016 21:10:56 +0000 (22:10 +0100)]
app-layer-parsing: detect malformed input
If the app-layer-parsing has a very long content it exceeds the maximum
defined in "alproto_name". This adds a check for the too long content
before it will be passed to "strlcpy" and logs an error.
Sascha Steinbiss [Fri, 20 Jan 2017 14:28:41 +0000 (15:28 +0100)]
mpm/spm: check for SSSE3 and enable/disable HS
The new Hyperscan 4.4 API provides a function to check for SSSE3
presence at runtime. This allows us to fall back to non-Hyperscan
matchers on systems without SSSE3 even when the suricata executable
is built with Hyperscan support. Addresses Redmine issue #2010.
Victor Julien [Thu, 26 Jan 2017 17:05:11 +0000 (18:05 +0100)]
stream: initialize stream segment pool from mtu
If segments section in the yaml is ommitted (default) or when the
pool size is set to 'from_mtu', the size of the pool will be MTU
minus 40. If the MTU couldn't be determined, it's assumed to be
1500, so the segment size for the bool will be 1460.
Victor Julien [Thu, 26 Jan 2017 09:16:53 +0000 (10:16 +0100)]
threads: fix missed logging at shutdown
At shutdown, all flows that still need work are handled by the flow
force reassembly logic. This means one or more flow end pseudo packets
are generated and pushed through the engine for final detection and
logging.
In some cases this would not work correctly. This was caused by the
flow timeout logic kicking in before all the 'live' packets were
processed. Before the flow timeout handling runs the receive threads
are disabled, however the engine did not wait for the in-flight
packets to be fully processed. In autofp mode, packets could still
be in the queue between receive thread(s) and flow worker(s).
This patch adds a new function that 'drains' all the packet threads
of any in-progress packets before moving on the flow timeout logic.
Jason Ish [Fri, 18 Nov 2016 16:53:25 +0000 (10:53 -0600)]
templates: require the protocol name to start with a capital
When running ./setup-app-layer.sh require the protocol name to
start with a capital letter so it looks somewhat like a proper
name. This will help give better function names.
For example:
./setup-app-layer.sh IRC
./setup-app-layer.sh Irc
will create function names starting with IRC or Irc. But we do
not want function names to start with "irc".
Eric Leblond [Thu, 19 Jan 2017 18:52:41 +0000 (10:52 -0800)]
util-file: introduce new functions for file size
This patch introduces the FileDataSize and FileTrackedSize functions.
The first one is just a renaming of the initial FilSize function
whereas the other one is using the newly introduced size field as
value.
Eric Leblond [Wed, 18 Jan 2017 19:08:21 +0000 (11:08 -0800)]
util-file: change file size computation
The file size returned by FileSize is invalid if file store is not
used so we introduce a new size field in File structure that is used
to store the size.
Jason Ish [Thu, 19 Jan 2017 05:23:11 +0000 (23:23 -0600)]
pcap-log: fix pcre_study error check
Code was failing on a NULL return value which can be returned
when there was nothing todo instead of an error. Instead
check the errbuf for a non-NULL value to determine error.
projects / thirdparty / suricata.git / log
