Each 'add' and 'lookup' would increment the use_cnt, without anything
bringing it back down.
Since there is no removal yet, nothing is actually affected by it yet.
(cherry picked from commit 381bc2dd64)
This commit provides an interface to free previously allocated
per-thread contextual information on the keyword lists.
(cherry picked from commit d1151f3f8e)
For a done transaction with command PORT,
we expect FTP_STATE_FINISHED
and we got FTP_STATE_PORT_DONE instead
which prevented logging of these transactions
We change the order of the evaluations to get the right result
(cherry picked from commit 6f36403219)
Protects against evasion by TCP packet splitting
The problem arised if the FTP response is split on multiple packets
The fix is to bufferize the content, until we get a complete line
(cherry picked from commit a6294d6ec2)
A deeply nested YAML file can cause a stack-overflow while
reading in the configuration to do the recursive parser. Limit
the recursion level to something sane (128) to prevent this
from happening.
The default Suricata configuration has a recursion level of 128
so there is still lots of room to grow (not that we should).
Redmine ticket:
https://redmine.openinfosecfoundation.org/issues/3630
(cherry picked from commit 4dc80a6e6f)
This commit eliminates a memory leak while parsing TLS version
information. The leak was identified through fuzzing.
(cherry picked from commit 2823bc5aed)
This commit fixes a memory leak in the SSL version handling that
manifests when the version identifier is incomplete or incorrect.
(cherry picked from commit 6bffe0bd35)
This commit detects duplicate threshold rule options. When duplicates
are found in a rule, an error message is displayed and the rule is
rejected.
(cherry picked from commit ff9a01ee1b)
This patch addresses two problems.
First, various parts of the engine, but most notably the flow manager (FM),
use a minimum of the time notion of the packet threads. This did not
however, take into account the scenario where one or more of these
threads would be inactive for prolonged times. This could lead to the
time used by the FM could get stale.
This is addressed by keeping track of the last time the per thread packet
timestamp was updated, and only considering it for the 'minimum' when it
is reasonably current.
Second, there was a minor race condition at start up, where the FM would
already inspect the hash table(s) while the packet threads weren't active
yet. Since FM gets the time from the packet threads, it would use a bogus
time of 0.
This is addressed by adding a wait loop to the start of the FM that waits
for 'time' to get ready.
(cherry picked from commit 1e9333288f)
A race condition during the start of pcap file processing could cause
missed alerts and logged events. This race happens between the packet
threads and the flow manager. It was observed on slower hardware, but in
theory could happen on any machine. It required the 'autofp' runmode.
In commit 6f560144c1 ("time: improve offline time handling") the logic
was added to make the flow manager use a minimum of all the packet threads
perception of time.
The race condition was that the flow manager may become active _before_
all of the packet threads have started processing packets and thus setting
their timestamp. The threads that had not yet initialized their timestamp
would not be considered when calculating the minimum.
As a result of this, older packets timestamps would not yet be registered.
This would give the Flow Manager a timestamp too far in the future. While
the FM was running, the packet processing would start and a flow would
be created. This flow would then immediately be considered 'timed out' by
the FM, due to the timestamp too far in the future.
In the observed case, the thread processing packet 1 from the pcap had not
yet started processing while other threads had already started. The FM was
also already active. Due to the timestamps in the pcap this meant that the
time the FM used was about 500 seconds in the future compared to packet 1.
This patch fixes the issue by initializing all of the threads timestamps
with the timestamp value of the first packet. This way the minimum will
always consider this timestamp.
(cherry picked from commit 9f1922e175)
With data on SYN the sequence number used for the first data
was off by one, leading to the next segments to appear to come
after a one byte gap.
(cherry picked from commit b85539b2ab)
When keyword __flowvar__postmatch__, an internal keyword, is used
in a rule the 'Setup' func ptr will be NULL. This caused a crash.
(cherry picked from commit 095981cb2a)
In case of transform issues (transform not consumed before pkt_data
for example), the code would hit an ugly BUG_ON.
Address this by a more graceful error message, that will still
invalidate the sig but not crash the engine.
(cherry picked from commit 7f19da1cc0)
Implement support for limiting Teredo detection and decoding to specific
UDP ports, with 3544 as the default.
If no ports are specified, the old behaviour of detecting/decoding on any
port is still in place. This can also be forced by specifying 'any' as the
port setting.
(cherry picked from commit e97cdb48f3)
If autodiscovery of libnss was used (default), then the line
libnss support: yes
was never set to no.
Same behavior for libnspr.
Broken by commit 'configure: fix nspr check logic' (7ea269a212)
(cherry picked from commit 752fc77cdc)
The macro would not return true for smaller TCP streams, leading to
cases where the app-layer was not notified of EOF.
(cherry picked from commit e500c59b99)
Victor Julien
Philippe Antoine
Jeff Lucovsky
Jason Ish
Sascha Steinbiss
Eric Leblond