http: adds debug check against too many warnings

6 years ago · 053c728871
parent aa3f784d32
commit 053c728871
3 changed files with 21 additions and 1 deletions
--- a/rules/http-events.rules
+++ b/rules/http-events.rules
@ -81,4 +81,6 @@ alert http any any -> any any (msg:"SURICATA HTTP duplicate content length field

 alert http any any -> any any (msg:"SURICATA HTTP compression bomb"; flow:established; app-layer-event:http.compression_bomb; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221049; rev:1;)

-# next sid 2221050
+alert http any any -> any any (msg:"SURICATA HTTP too many warnings"; flow:established; app-layer-event:http.too_many_warnings; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221050; rev:1;)
+
+# next sid 2221051
--- a/src/app-layer-htp.c
+++ b/src/app-layer-htp.c
@ -87,6 +87,9 @@ static SCRadixTree *cfgtree;
 /** List of HTP configurations. */
 static HTPCfgRec cfglist;

+/** Limit to the number of libhtp messages that can be handled */
+#define HTP_MAX_MESSAGES 512
+
 SC_ATOMIC_DECLARE(uint32_t, htp_config_flags);

 #ifdef DEBUG
@ -198,6 +201,9 @@ SCEnumCharMap http_decoder_event_table[ ] = {
    { "MULTIPART_INVALID_HEADER",
        HTTP_DECODER_EVENT_MULTIPART_INVALID_HEADER},

+    { "TOO_MANY_WARNINGS",
+        HTTP_DECODER_EVENT_TOO_MANY_WARNINGS},
+
    { NULL,                      -1 },
 };

@ -689,6 +695,16 @@ static void HTPHandleError(HtpState *s, const uint8_t dir)

    size_t size = htp_list_size(s->conn->messages);
    size_t msg;
+    if(size >= HTP_MAX_MESSAGES) {
+        if (s->htp_messages_offset < HTP_MAX_MESSAGES) {
+            //only once per HtpState
+            HTPSetEvent(s, NULL, dir, HTTP_DECODER_EVENT_TOO_MANY_WARNINGS);
+            s->htp_messages_offset = HTP_MAX_MESSAGES;
+            DEBUG_VALIDATE_BUG_ON("Too many libhtp messages");
+        }
+        // ignore further messages
+        return;
+    }

    for (msg = s->htp_messages_offset; msg < size; msg++) {
        htp_log_t *log = htp_list_get(s->conn->messages, msg);
--- a/src/app-layer-htp.h
+++ b/src/app-layer-htp.h
@ -132,6 +132,8 @@ enum {
    HTTP_DECODER_EVENT_MULTIPART_GENERIC_ERROR,
    HTTP_DECODER_EVENT_MULTIPART_NO_FILEDATA,
    HTTP_DECODER_EVENT_MULTIPART_INVALID_HEADER,
+
+    HTTP_DECODER_EVENT_TOO_MANY_WARNINGS,
 };

 typedef enum HtpSwfCompressType_ {