--- /dev/null
+function init(args)
+ local needs = {}
+ needs["payload"] = tostring(true)
+ return needs
+end
+
+function match(args)
+ -- Allocates 400KB via a single new-allocation (ptr==NULL path).
+ -- With correct enforcement, alloc_limit blocks this and the script
+ -- fails with "memory limit exceeded" -- no alert fires.
+ -- On affected versions (7.0.15, 8.0.4), the script runs successfully
+ -- and fires an alert because ptr==NULL bypasses the alloc_limit check.
+ local s = string.rep("B", 400000)
+ return 1
+end
--- /dev/null
+%YAML 1.1
+---
+
+include: ../../etc/suricata-4.0.3.yaml
+
+# Stock include uses ./output/suricata.log; with -l on the test output dir that
+# becomes output/output/suricata.log. suricata-verify parses engine checks from
+# JSON lines (type: json), not plain text.
+logging:
+ outputs:
+ - console:
+ enabled: yes
+ - file:
+ enabled: yes
+ level: info
+ filename: suricata.log
+ type: json
+ - syslog:
+ enabled: no
+
+security:
+ lua:
+ allow-rules: true
+ max-bytes: 20000
--- /dev/null
+requires:
+ min-version: 9
+
+args:
+ - --set default-rule-path=${TEST_DIR}
+
+# Bug: LuaAlloc ptr==NULL path does not check alloc_limit.
+# A single large string.rep(400000) allocation bypasses security.lua.max-bytes=20000.
+#
+# On affected versions (e.g. 8.0.4, 7.0.15, 9.0.0-dev before fix):
+# - alert 9000001 fires (script ran successfully)
+# - stats.detect.lua.memory_limit_errors == 0 (limit never enforced)
+#
+# Expected behavior after fix:
+# - engine: memory limit exceeded
+# - stats.detect.lua.errors == 1, memory_limit_errors == 1
+# - no alert (script blocked by limit)
+
+checks:
+ - filter:
+ filename: suricata.log
+ count: 1
+ match:
+ engine.message.__startswith: "Lua script failed to run successfully: memory limit exceeded"
+
+ - filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.detect.lua.errors: 1
+ stats.detect.lua.memory_limit_errors: 1
+
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 9000001
projects / thirdparty / suricata-verify.git / commitdiff
