detect: set event if max inspect buffers exceeded

If a parser exceeds 1024 buffers we stop processing them and set a detect event instead. This is to avoid parser bugs as well as crafted bad traffic leading to resources starvation due to excessive loops. (cherry picked from commit e611adf3dc)
5 years ago · e49b5358f9
parent c9270f6854
commit e49b5358f9
2 changed files with 28 additions and 17 deletions
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@ -103,25 +103,29 @@ static uint32_t DetectEngineTentantGetIdFromPcap(const void *ctx, const Packet *
 static DetectEngineAppInspectionEngine *g_app_inspect_engines = NULL;
 static DetectEnginePktInspectionEngine *g_pkt_inspect_engines = NULL;

-SCEnumCharMap det_ctx_event_table[ ] = {
+SCEnumCharMap det_ctx_event_table[] = {
 #ifdef UNITTESTS
-    { "TEST",                       DET_CTX_EVENT_TEST },
+    { "TEST", DET_CTX_EVENT_TEST },
 #endif
-    { "NO_MEMORY",                  FILE_DECODER_EVENT_NO_MEM },
-    { "INVALID_SWF_LENGTH",         FILE_DECODER_EVENT_INVALID_SWF_LENGTH },
-    { "INVALID_SWF_VERSION",        FILE_DECODER_EVENT_INVALID_SWF_VERSION },
-    { "Z_DATA_ERROR",               FILE_DECODER_EVENT_Z_DATA_ERROR },
-    { "Z_STREAM_ERROR",             FILE_DECODER_EVENT_Z_STREAM_ERROR },
-    { "Z_BUF_ERROR",                FILE_DECODER_EVENT_Z_BUF_ERROR },
-    { "Z_UNKNOWN_ERROR",            FILE_DECODER_EVENT_Z_UNKNOWN_ERROR },
-    { "LZMA_DECODER_ERROR",         FILE_DECODER_EVENT_LZMA_DECODER_ERROR },
-    { "LZMA_MEMLIMIT_ERROR",        FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR },
-    { "LZMA_OPTIONS_ERROR",         FILE_DECODER_EVENT_LZMA_OPTIONS_ERROR },
-    { "LZMA_FORMAT_ERROR",          FILE_DECODER_EVENT_LZMA_FORMAT_ERROR },
-    { "LZMA_DATA_ERROR",            FILE_DECODER_EVENT_LZMA_DATA_ERROR },
-    { "LZMA_BUF_ERROR",             FILE_DECODER_EVENT_LZMA_BUF_ERROR },
-    { "LZMA_UNKNOWN_ERROR",         FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR },
-    { NULL,                         -1 },
+    { "NO_MEMORY", FILE_DECODER_EVENT_NO_MEM },
+    { "INVALID_SWF_LENGTH", FILE_DECODER_EVENT_INVALID_SWF_LENGTH },
+    { "INVALID_SWF_VERSION", FILE_DECODER_EVENT_INVALID_SWF_VERSION },
+    { "Z_DATA_ERROR", FILE_DECODER_EVENT_Z_DATA_ERROR },
+    { "Z_STREAM_ERROR", FILE_DECODER_EVENT_Z_STREAM_ERROR },
+    { "Z_BUF_ERROR", FILE_DECODER_EVENT_Z_BUF_ERROR },
+    { "Z_UNKNOWN_ERROR", FILE_DECODER_EVENT_Z_UNKNOWN_ERROR },
+    { "LZMA_DECODER_ERROR", FILE_DECODER_EVENT_LZMA_DECODER_ERROR },
+    { "LZMA_MEMLIMIT_ERROR", FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR },
+    { "LZMA_OPTIONS_ERROR", FILE_DECODER_EVENT_LZMA_OPTIONS_ERROR },
+    { "LZMA_FORMAT_ERROR", FILE_DECODER_EVENT_LZMA_FORMAT_ERROR },
+    { "LZMA_DATA_ERROR", FILE_DECODER_EVENT_LZMA_DATA_ERROR },
+    { "LZMA_BUF_ERROR", FILE_DECODER_EVENT_LZMA_BUF_ERROR },
+    { "LZMA_UNKNOWN_ERROR", FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR },
+    {
+            "TOO_MANY_BUFFERS",
+            DETECT_EVENT_TOO_MANY_BUFFERS,
+    },
+    { NULL, -1 },
 };

 /** \brief register inspect engine at start up time
@ -1091,6 +1095,11 @@ static InspectionBufferMultipleForList *InspectionBufferGetMulti(
 InspectionBuffer *InspectionBufferMultipleForListGet(
        DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
 {
+    if (unlikely(local_id >= 1024)) {
+        DetectEngineSetEvent(det_ctx, DETECT_EVENT_TOO_MANY_BUFFERS);
+        return NULL;
+    }
+
    InspectionBufferMultipleForList *fb = InspectionBufferGetMulti(det_ctx, list_id);

    if (local_id >= fb->size) {
--- a/src/detect.h
+++ b/src/detect.h
@ -1240,6 +1240,8 @@ enum {
    FILE_DECODER_EVENT_LZMA_DATA_ERROR,
    FILE_DECODER_EVENT_LZMA_BUF_ERROR,
    FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR,
+
+    DETECT_EVENT_TOO_MANY_BUFFERS,
 };

 #define SIG_GROUP_HEAD_HAVERAWSTREAM    BIT_U32(0)