aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ftp: truncate command data that is too long

Browse Source 
FTP control commands will be buffered forever until a new line is seen,
this can lead to memory exhaustion in Suricata.

To fix, set an upper bound, 4096 bytes on the size of the command that
is saved in the transaction. The input continues to be parsed to find
the end of the command so the parser can continue to move onto the next
command.

The result is that the command data in the transaction is truncated,
which also shows up in the ftp transaction logs.

This value is configurable with the max-line-length field in the ftp
app-layer.protocols section.

As FTP doesn't have events at this time, add a new fields to eve-log
that specificy if the request, or the response has been truncated.

Ticket #5024
pull/7282/head
Jason Ish 3 years ago committed by Victor Julien
parent cedffdf14c
commit cf8ed576e0
3 changed files with 86 additions and 34 deletions
Show Stats Download Patch File Download Diff File

99
src/app-layer-ftp.c
Unescape Escape View File

@ -1,4 +1,4 @@
/* Copyright (C) 2007-2020 Open Information Security Foundation
/* Copyright (C) 2007-2022 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
@ -57,6 +57,7 @@
#include "util-memrchr.h"
#include "util-mem.h"
#include "util-misc.h"
#include "util-validate.h"
#include "output-json.h"
#include "rust.h"
@ -126,6 +127,7 @@ const FtpCommand FtpCommands[FTP_COMMAND_MAX + 1] = {
};
uint64_t ftp_config_memcap = 0;
uint32_t ftp_config_maxtx = 1024;
uint32_t ftp_max_line_len = 4096;
SC_ATOMIC_DECLARE(uint64_t, ftp_memuse);
SC_ATOMIC_DECLARE(uint64_t, ftp_memcap);
@ -163,6 +165,14 @@ static void FTPParseMemcap(void)
}
SCLogInfo("FTP max tx: %" PRIu32, ftp_config_maxtx);
}
if ((ConfGet("app-layer.protocols.ftp.max-line-length", &conf_val)) == 1) {
if (ParseSizeStringU32(conf_val, &ftp_max_line_len) < 0) {
SCLogError(SC_ERR_SIZE_PARSE, "Error parsing ftp.max-line-length from conf file - %s.",
conf_val);
}
SCLogConfig("FTP max line length: %" PRIu32, ftp_max_line_len);
}
}
static void FTPIncrMemuse(uint64_t size)
@ -366,6 +376,7 @@ static int FTPGetLineForDirection(FtpState *state, FtpLineState *line_state)
/* we have seen the lf for the previous line. Clear the parser
* details to parse new line */
line_state->current_line_lf_seen = 0;
state->current_line_truncated = false;
if (line_state->current_line_db == 1) {
line_state->current_line_db = 0;
FTPFree(line_state->db, line_state->db_len);
@ -393,20 +404,27 @@ static int FTPGetLineForDirection(FtpState *state, FtpLineState *line_state)
line_state->current_line_db = 1;
memcpy(line_state->db, state->input, state->input_len);
line_state->db_len = state->input_len;
} else {
ptmp = FTPRealloc(line_state->db, line_state->db_len,
(line_state->db_len + state->input_len));
if (ptmp == NULL) {
FTPFree(line_state->db, line_state->db_len);
line_state->db = NULL;
line_state->db_len = 0;
return -1;
} else if (!state->current_line_truncated) {
int32_t input_len = state->input_len;
if (line_state->db_len + input_len > ftp_max_line_len) {
input_len = ftp_max_line_len - line_state->db_len;
DEBUG_VALIDATE_BUG_ON(input_len < 0);
state->current_line_truncated = true;
}
line_state->db = ptmp;
if (input_len > 0) {
ptmp = FTPRealloc(
line_state->db, line_state->db_len, (line_state->db_len + input_len));
if (ptmp == NULL) {
FTPFree(line_state->db, line_state->db_len);
line_state->db = NULL;
line_state->db_len = 0;
return -1;
}
line_state->db = ptmp;
memcpy(line_state->db + line_state->db_len,
state->input, state->input_len);
line_state->db_len += state->input_len;
memcpy(line_state->db + line_state->db_len, state->input, input_len);
line_state->db_len += input_len;
}
}
state->input += state->input_len;
state->input_len = 0;
@ -417,27 +435,35 @@ static int FTPGetLineForDirection(FtpState *state, FtpLineState *line_state)
line_state->current_line_lf_seen = 1;
if (line_state->current_line_db == 1) {
ptmp = FTPRealloc(line_state->db, line_state->db_len,
(line_state->db_len + (lf_idx + 1 - state->input)));
if (ptmp == NULL) {
FTPFree(line_state->db, line_state->db_len);
line_state->db = NULL;
line_state->db_len = 0;
return -1;
}
line_state->db = ptmp;
if (!state->current_line_truncated) {
int32_t input_len = lf_idx + 1 - state->input;
if (line_state->db_len + input_len > ftp_max_line_len) {
input_len = ftp_max_line_len - line_state->db_len;
DEBUG_VALIDATE_BUG_ON(input_len < 0);
state->current_line_truncated = true;
}
if (input_len > 0) {
ptmp = FTPRealloc(
line_state->db, line_state->db_len, (line_state->db_len + input_len));
if (ptmp == NULL) {
FTPFree(line_state->db, line_state->db_len);
line_state->db = NULL;
line_state->db_len = 0;
return -1;
}
line_state->db = ptmp;
memcpy(line_state->db + line_state->db_len,
state->input, (lf_idx + 1 - state->input));
line_state->db_len += (lf_idx + 1 - state->input);
memcpy(line_state->db + line_state->db_len, state->input, input_len);
line_state->db_len += input_len;
if (line_state->db_len > 1 &&
line_state->db[line_state->db_len - 2] == 0x0D) {
line_state->db_len -= 2;
state->current_line_delimiter_len = 2;
} else {
line_state->db_len -= 1;
state->current_line_delimiter_len = 1;
if (line_state->db_len > 1 && line_state->db[line_state->db_len - 2] == 0x0D) {
line_state->db_len -= 2;
state->current_line_delimiter_len = 2;
} else {
line_state->db_len -= 1;
state->current_line_delimiter_len = 1;
}
}
}
state->current_line = line_state->db;
@ -445,7 +471,12 @@ static int FTPGetLineForDirection(FtpState *state, FtpLineState *line_state)
} else {
state->current_line = state->input;
state->current_line_len = lf_idx - state->input;
if (lf_idx - state->input > ftp_max_line_len) {
state->current_line_len = ftp_max_line_len;
state->current_line_truncated = true;
} else {
state->current_line_len = lf_idx - state->input;
}
if (state->input != lf_idx &&
*(lf_idx - 1) == 0x0D) {
@ -605,6 +636,7 @@ static AppLayerResult FTPParseRequest(Flow *f, void *ftp_state, AppLayerParserSt
tx->command_descriptor = cmd_descriptor;
tx->request_length = CopyCommandLine(&tx->request,
state->current_line, state->current_line_len);
tx->request_truncated = state->current_line_truncated;
/* change direction (default to server) so expectation will handle
* the correct message when expectation will match.
@ -832,6 +864,7 @@ static AppLayerResult FTPParseResponse(Flow *f, void *ftp_state, AppLayerParserS
FTPString *response = FTPStringAlloc();
if (likely(response)) {
response->len = CopyCommandLine(&response->str, state->current_line, state->current_line_len);
response->truncated = state->current_line_truncated;
TAILQ_INSERT_TAIL(&tx->response_list, response, next);
}
}

5
src/app-layer-ftp.h
Unescape Escape View File

@ -121,13 +121,14 @@ typedef struct FtpLineState_ {
uint8_t *db;
uint32_t db_len;
uint8_t current_line_db;
/** we have see LF for the currently parsed line */
/** we have seen LF for the currently parsed line */
uint8_t current_line_lf_seen;
} FtpLineState;
typedef struct FTPString_ {
uint8_t *str;
uint32_t len;
bool truncated;
TAILQ_ENTRY(FTPString_) next;
} FTPString;
@ -140,6 +141,7 @@ typedef struct FTPTransaction_ {
/* for the request */
uint32_t request_length;
uint8_t *request;
bool request_truncated;
/* for the command description */
const FtpCommand *command_descriptor;
@ -173,6 +175,7 @@ typedef struct FtpState_ {
/** length of the line in current_line. Doesn't include the delimiter */
uint32_t current_line_len;
uint8_t current_line_delimiter_len;
bool current_line_truncated;
/* 0 for toserver, 1 for toclient */
FtpLineState line_state[2];

16
src/output-json-ftp.c
Unescape Escape View File

@ -66,8 +66,15 @@ static void EveFTPLogCommand(Flow *f, FTPTransaction *tx, JsonBuilder *jb)
"command_data",
(const uint8_t *)tx->request + min_length,
tx->request_length - min_length - 1);
if (tx->request_truncated) {
JB_SET_TRUE(jb, "command_truncated");
} else {
JB_SET_FALSE(jb, "command_truncated");
}
}
bool reply_truncated = false;
if (!TAILQ_EMPTY(&tx->response_list)) {
int resp_code_cnt = 0;
int resp_cnt = 0;
@ -83,6 +90,9 @@ static void EveFTPLogCommand(Flow *f, FTPTransaction *tx, JsonBuilder *jb)
} else if (response->len > UINT16_MAX) {
length = UINT16_MAX;
}
if (!reply_truncated && response->truncated) {
reply_truncated = true;
}
while ((pos = JsonGetNextLineFromBuffer((const char *)where, length)) != UINT16_MAX) {
uint16_t offset = 0;
/* Try to find a completion code for this line */
@ -137,6 +147,12 @@ static void EveFTPLogCommand(Flow *f, FTPTransaction *tx, JsonBuilder *jb)
} else {
JB_SET_STRING(jb, "reply_received", "no");
}
if (reply_truncated) {
JB_SET_TRUE(jb, "reply_truncated");
} else {
JB_SET_FALSE(jb, "reply_truncated");
}
}

Write Preview
Loading…
Cancel
Save