Allow configuration parameters to be overrided usually a fully
qualified name such as:
vars.address-groups.HOME_NET: "7.1.2.0/24"
In configuration files (including "include" files). This allows the
overriding of a specific value deeply nested in the configuration
without having to redefine the complete top-layer object.
Ticket: 4783
Work towards making `suricata-common.h` only introduce system headers
and other things that are independent of complex internal Suricata
data structures.
Update files to compile after this.
Remove special DPDK handling for strlcpy and strlcat, as this caused
many compilation failures w/o including DPDK headers for all files.
Remove packet macros from decode.h and move them into their own file,
turn them into functions and rename them to match our function naming
policy.
Register a new runmode - DPDK. This enables a new flag on Suricata start
(--dpdk).
With the flag given, DPDK runmode is enabled.
Runmode loads the configuration and then initializes EAL.
If successful, it configures the physical NICs according to the configuration
file. After that, worker threads are initialized and then are in continuous
receive loop.
Replaces all patterns of SCLogError() followed by exit() with
FatalError(). Cocci script to do this:
@@
constant C;
constant char[] msg;
@@
- SCLogError(C,
+ FatalError(SC_ERR_FATAL,
msg);
- exit(EXIT_FAILURE);
Closes redmine ticket 3188.
There are multiple NULL-pointer dereferences after calling ConfGetBool in StreamTcpInitConfig. ConfGetBool calls ConfGet which doesn't check the vptr-argument. This is a sample ASAN-output:
1453ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2969b83a28 bp 0x7ffdbf613a90 sp 0x7ffdbf613210 T0)
0 0x7f2969b83a27 in strcasecmp (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x51a27)
1 0x564185accefd in ConfValIsTrue /root/suricata-1/src/conf.c:559
2 0x564185accb4f in ConfGetBool /root/suricata-1/src/conf.c:512
3 0x564185dcbe05 in StreamTcpInitConfig /root/suricata-1/src/stream-tcp.c:381
4 0x564185e21a88 in PreRunInit /root/suricata-1/src/suricata.c:2264
5 0x564185e24d2c in PostConfLoadedSetup /root/suricata-1/src/suricata.c:2763
6 0x564185e2570e in main /root/suricata-1/src/suricata.c:2898
7 0x7f29662cb2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
8 0x5641859b6039 in _start (/usr/local/bin/suricata+0xc8039)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x51a27) in strcasecmp
1453ABORTING
This commit replaces ConfGet by ConfGetValue in ConfGetBool. This does not only fix Bug #2368 but might also fix others too.
There are several NULL-pointer derefs in StreamTCPInitConfig. All of them happen because ConfGet returns 1 even if the value is NULL(due to misconfiguration for example).
This commit introduces a new function "ConfGetValue". It adds return values for NULL-pointer to ConfGet and could be used as a replacement for ConfGet.
Note: Simply modify ConfGet might not be a good idea, because there are some places where ConfGet should return 1 even if "value" is NULL. For example if ConfGet should get a Config-Leave in the yaml-hierarchy.
Bug: 2354
If there are empty values in the config-file where integer values are expected, strtoimax in the ConfGetInt-function will segfault because of NULL-pointer dereference.
Here is a configuration example:
pcre.match-limit: []
This will let suricata crash with a segfault.
ASAN-output:
ASAN:DEADLYSIGNAL =================================================================
16951ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa690e3ccc5 bp 0x000000000000 sp 0x7ffd0d770ad0 T0)
0 0x7fa690e3ccc4 (/lib/x86_64-linux-gnu/libc.so.6+0x36cc4)
1 0x7fa6946a6534 in strtoimax (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x44534)
2 0x55e0aeba6499 in ConfGetInt /root/suricata-1/src/conf.c:390
3 0x55e0aed2545d in DetectPcreRegister /root/suricata-1/src/detect-pcre.c:99
4 0x55e0aec1b4ce in SigTableSetup /root/suricata-1/src/detect.c:3783
5 0x55e0aeeed58d in PostConfLoadedSetup /root/suricata-1/src/suricata.c:2690
6 0x55e0aeeee4f2 in main /root/suricata-1/src/suricata.c:2892
7 0x7fa690e262b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
8 0x55e0aea92d39 in _start (/usr/local/bin/suricata+0xc7d39)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x36cc4)
This commit fixes Ticket #2275
Set flags by default:
-Wmissing-prototypes
-Wmissing-declarations
-Wstrict-prototypes
-Wwrite-strings
-Wcast-align
-Wbad-function-cast
-Wformat-security
-Wno-format-nonliteral
-Wmissing-format-attribute
-funsigned-char
Fix minor compiler warnings for these new flags on gcc and clang.
Coverity 1139544
If strdup would fail, 'node' was freed but it wasn't set to NULL. The
code then returned node. The caller would not detect there was an error
and use the freed pointer.
Prevents benign log message of parent nodes of final values being
redefined (which ends up having no affect as the final nodes
are protected from being removed).
This patch introduces a new set of functions to the ConfGetChildValue
family. They permit to look under a default node if looking under
base node as failed. This will be used to access to default parameters
for a data type (for instance, first usage will be interface).
When handling error case on SCMallog, SCCalloc or SCStrdup
we are in an unlikely case. This patch adds the unlikely()
expression to indicate this to gcc.
This patch has been obtained via coccinelle. The transformation
is the following:
@istested@
identifier x;
statement S1;
identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)";
@@
x = func(...)
... when != x
- if (x == NULL) S1
+ if (unlikely(x == NULL)) S1
This patch adds multi interface support to AF_PACKET. A structure
is used at thread creation to give all needed information to the
input module. Parsing of the options is done in runmode preparation
through a dedicated function which return the configuration in a
structure usable by thread creation.
The input modules are needing a per interface configuration. This
implies some new operations to be able to parse easily te configuration.
The syntax of the configuration file is for example:
af-packet:
- interface: eth0
threads: 2
- interface: eth1
threads: 3
We need a way to express get a configuration variable for interface[eth0].
This is by using ConfNodeLookupKeyValue() to get the matching node. And
after that value can be fetch by using ConfGetChildValue*() functions.
Victor Julien
Jason Ish
Lukas Sismis
Shivani Bhardwaj
Victor Julien
Jason Ish
Eric Leblond
Wolfgang Hotwagner
Ken Steele
Jason Ish
Anoop Saldanha
Eileen Donlon