detect: non infinite default value for inspection-recursion-limit

So that empty config are protected by this setting as was intended. Set to unlimited for fuzz testing.
1 year ago · b9b797f1f4
parent b14c67cbdf
commit b9b797f1f4
3 changed files with 6 additions and 6 deletions
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@ -2953,6 +2953,7 @@ static int DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx)
    }

    intmax_t value = 0;
+    de_ctx->inspection_recursion_limit = DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT;
    if (ConfGetInt("detect.inspection-recursion-limit", &value) == 1)
    {
        if (value >= 0 && value <= INT_MAX) {
@ -2992,9 +2993,6 @@ static int DetectEngineCtxLoadConf(DetectEngineCtx *de_ctx)
                    de_ctx->inspection_recursion_limit =
                        DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT;
                }
-            } else {
-                de_ctx->inspection_recursion_limit =
-                    DETECT_ENGINE_DEFAULT_INSPECTION_RECURSION_LIMIT;
            }
        }
    }
--- a/src/tests/fuzz/confyaml.c
+++ b/src/tests/fuzz/confyaml.c
@ -110,4 +110,6 @@ app-layer:\n\
      enabled: yes\n\
    quic:\n\
      enabled: yes\n\
+detect:\n\
+  inspection-recursion-limit: 0\n\
 ";
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -1725,15 +1725,15 @@ decoder:
 # The option inspection-recursion-limit is used to limit the recursive calls
 # in the content inspection code.  For certain payload-sig combinations, we
 # might end up taking too much time in the content inspection code.
-# If the argument specified is 0, the engine uses an internally defined
-# default limit.  When a value is not specified, there are no limits on the recursion.
+# If the argument specified is 0, there are no limits on the recursion.
+# When a value is not specified, the default is 3000
 detect:
  profile: medium
  custom-values:
    toclient-groups: 3
    toserver-groups: 25
  sgh-mpm-context: auto
-  inspection-recursion-limit: 3000
+  # inspection-recursion-limit: 3000
  # maximum number of times a tx will get logged for rules without app-layer keywords
  # stream-tx-log-limit: 4
  # Try to guess an app-layer transaction for rules without app-layer keywords,