If FlowForceReassemblyForFlowV2 can't get packets to inject into the
engine, until now it would bail and retry later. In case of resource
starvation issues, this would cause a lot of lock contention, as the
flow manager would try over and over again.
This patch limits FlowForceReassemblyForFlowV2 to one try per flow,
if it fails... bad luck. It will only fail in serious conditions,
which means we must prefer the health of the engine over the proper
inspection of the flow in question.
AppLayer Proto detection code uses a mix of pattern search and
"probing parsers". The pattern search validates potential matches
using a single pattern search algo. The code was using SpmSearch
for this, but this made it inefficient as it builds a BoyerMoore
context for each search. This lead to significant memory pressure,
especially on high speed/bandwidth boxes.
This patch switches the search calls to BoyerMoore and BoyerMoore-
Nocase directly. This can be done as the ctx' were available already.
Move app layer event handling into app-layer-event.[ch].
Convert 'Set' macro's to functions.
Get rid of duplication in Set and SetRaw. Set now calls SetRaw.
Fix potentential int overflow condition in the event storage.
Update callers.
Don't use FlowGetProtoMapping at runtime, use f->protomap instead.
Add safety check to make sure its value is within range, as it's
used to index an array.
Update unittests to initialized flows (somewhat).
Remove unnecessay inlining.
Rename functions with wrong naming scheme. E.g. AllocAppLayer.. instead
of AppLayer..Alloc.
Use AppProto instead of uint16_t.
Convert u16 ipproto cases to u8.
This patch updates the DNS counters from the main AppLayer entry
functions. Due to the limited scope of AppLayerThreadCtx some of
the logic had to be implemented in app-layer.c, where it doesn't
belong.
To be able to register counters from AppLayerGetCtxThread, the
ThreadVars pointer needs to be available in it and thus in it's
callers:
- AppLayerGetCtxThread
- DecodeThreadVarsAlloc
- StreamTcpReassembleInitThreadCtx
Add memuse tracking and memcap checking to the DNS parsers. Memuse
is tracked globally and per flow (state).
Memcaps are also checked per flow and globally before memory allocs
are done.
In some cases the TLS state pointers to subject and issuerdn could
be overwritten by a new memory allocation, causing us to loose
track of the old.
This has been observed in the case of improper VLAN handling, where
it was suspected that multiple unrelated TLS streams were mangled
together.
The loop is freeing elements so we need to use the safe version
of TIALQ_FOREACH.
This fixes a valgrind error:
Thread 1 Suricata-Main:
Invalid read of size 8
at 0x8E129C: LiveDeviceListClean (util-device.c:167)
by 0x89B742: main (suricata.c:2284)
Address 0x8382988 is 24 bytes inside a block of size 40 free'd
at 0x4C2A70C: free (vg_replace_malloc.c:468)
by 0x8E1297: LiveDeviceListClean (util-device.c:179)
by 0x89B742: main (suricata.c:2284)
Buffers in per thread HTTP header, client body and server body storage
would be freed based on the usage indicator instead of the size
indicator.
As the usage indicator (e.g. hsbd_buffers_list_len) could be reset
while leaving the memory untouched for later reuse, the free function
would not iterate over all memory blocks.
Removed DrMemory suppressions as well.
Bug #980.
Logic of patch 98e4a14f6d was correct
but implementation is wrong because TP_STATUS_KERNEL is equal to
zero and thus can not be evaluated in a binary operation. This patch
updates the logic by doing two tests.
Reported-by: Alessandro Guido
GCC typically generates better code without the -no-strict-aliasing flag.
It is only required if code makes assumptiosn that break strict aliasing.
The unit tests pass on x86 and Tile without the flag.
Victor Julien
Eric Leblond
Anoop Saldanha
Ken Steele