Ticket: 8289
If stream.reassembly.depth is unlimited,
an attacker controlling the 2 sides of a communication going through Suricata
can send a transition with an infinite number of headers, until suricata OOMs
Solution is to offer a configuration option to bound the number
of HTTP2 frames we store in a HTTP2 transaction, and produce an
anomaly if this bound is crossed
(cherry picked from commit 784e173278)
We used to look for a full line, but as we look fot the last eol
we need to use the right index in the not-reversed list
(cherry picked from commit 49fd7001ff)
Ticket: 8292
When we have buffered something in ctx.decoded_line,
we already looked for '\n' in it, so we do not need to run it again
Otherwise, callers that supply mime_smtp_find_url_strings with
a few bytes at a time without "\n", have a quadratic
complexity
(cherry picked from commit 8bba47aa09)
Currently in parse_request function LdapEvent::InvalidData is not set when a
request is not parsed correctly.
Ticket #8258
(cherry picked from commit de46f4ba9d)
warning: called `unwrap` on `rd.pipe` after checking its variant with `is_some`
--> src/smb/smb1.rs:858:28
|
857 | if rd.pipe.is_some() {
| -------------------- help: try: `if let Some(<item>) = rd.pipe`
858 | let pipe = rd.pipe.unwrap();
| ^^^^^^^^^^^^^^^^
|
= help: for further information visit https://rust-lang.github.io/rust-clippy/rust-1.93.0/index.html#unnecessary_unwrap
= note: `#[warn(clippy::unnecessary_unwrap)]` on by default
(cherry picked from commit 02cb0f2ac2)
These were previously logged correctly only for nfs v3
Now, the correct opcodes are used for v2 and v4 as well
Ticket: 8222
(cherry picked from commit 1832b50506)
TLS parsers use x509-parser crate which parses X.509 certificates that
use ASN.1 DER encoding that can allow arbitrary byte sequences. An
attacker could inject null byte in a certificate anywhere to stump the
common language parsers terminating the string at a null byte leading to
a bypass of a possibly malicious certificate.
So far, the rust TLS parser for "subjectaltname" used a pattern that involved:
-> Get ASN.1 DER encoded raw data from the x509-parser crate
-> Convert this raw data to a decoded string (Rust)
-> Convert the Rust string to CString
-- The problem lies here. CString only accepts proper strings/byte
buffers and converts it into an owned C-compatible, null-terminated
string. However, if any null byte occurs in the string passed to the
CString then it panics.
In the rust TLS parser, this panic is handled by returning NULL.
This means that the parser will error out during the decoding of the
certificate. However, Suricata must be able to detect the null byte
injection attack being an IDS/IPS.
Hence, replace all such string patterns w.r.t. TLS SAN with a byte
array.
Bug 7887
(cherry picked from commit 1d7b0d9b7a)
TLS parsers use x509-parser crate which parses X.509 certificates that
use ASN.1 DER encoding that can allow arbitrary byte sequences. An
attacker could inject null byte in a certificate anywhere to stump the
common language parsers terminating the string at a null byte leading to
a bypass of a possibly malicious certificate.
So far, the rust TLS parser for "issuerdn" used a pattern that involved:
-> Get ASN.1 DER encoded raw data from the x509-parser crate
-> Convert this raw data to a decoded string (Rust)
-> Convert the Rust string to CString
-- The problem lies here. CString only accepts proper strings/byte
buffers and converts it into an owned C-compatible, null-terminated
string. However, if any null byte occurs in the string passed to the
CString then it panics.
In the rust TLS parser, this panic is handled by returning NULL.
This means that the parser will error out during the decoding of the
certificate. However, Suricata must be able to detect the null byte
injection attack being an IDS/IPS.
Hence, replace all such string patterns w.r.t. TLS IssuerDN with a byte
array.
Bug 7887
(cherry picked from commit f025e07191)
TLS parsers use x509-parser crate which parses X.509 certificates that
use ASN.1 DER encoding that can allow arbitrary byte sequences. An
attacker could inject null byte in a certificate anywhere to stump the
common language parsers terminating the string at a null byte leading to
a bypass of a possibly malicious certificate.
So far, the rust TLS parser for "Subject" used a pattern that involved:
-> Get ASN.1 DER encoded raw data from the x509-parser crate
-> Convert this raw data to a decoded string (Rust)
-> Convert the Rust string to CString
-- The problem lies here. CString only accepts proper strings/byte
buffers and converts it into an owned C-compatible, null-terminated
string. However, if any null byte occurs in the string passed to the
CString then it panics.
In the rust TLS parser, this panic is handled by returning NULL.
This means that the parser will error out during the decoding of the
certificate. However, Suricata must be able to detect the null byte
injection attack being an IDS/IPS.
Hence, replace all such string patterns w.r.t. TLS Subject with a byte
array.
Bug 7887
(cherry picked from commit 77c21b05d2)
DCERPC parsers had no upper bounds when it came to extending the stub
data buffer. Traffic can be crafted to bypass some internal parser
conditions to create an indefinite buffering in the stub_data array that
can make Suricata crash.
Add a default limit of 1MiB and make it configurable for the user.
Security 8182
Co-authored-by: Philippe Antoine <pantoine@oisf.net>
(cherry picked from commit e412215af9)
Ticket: 8201
Limits the quadratic complexity if each packet, restarting the
header parsing, just adds a new folded line.
This was previously bounded by the configurable max header length
(cherry picked from commit fa5a4a994a)
As we want the last tx
Ticket: 8156
The generic function AppLayerParserGetTxCnt calls for HTTP1
Transactions.size()
This function has some specific code, as we may have pre-created
a tx that we do not want to count.
This used to get the last tx by iterating over all the transactions
waiting to find the one with max index.
So, instead of using the Transactions.get function, we get the last
tx out of the VecDeque and check its index.
(cherry picked from commit af246ae7ab)
While debug_validate_bug_on is still used, it does not need to be
imported directly, as that macro is marked with `macro_export`, making
it globally available to the crate.
(cherry picked from commit 50224f2ee5)
Better track the state so it's known when to expect a base64 request
message. Also better validate the base64.
Ticket: #7994.
(cherry picked from commit 80d5afe91b)
Improve multiline commands and SASL auth.
Work around missing support in crate for empty server challenge and SASL base64 data.
Ticket: #7709.
(cherry picked from commit acef961645)
Ticket: 7980
Usage of Vec<u8> instead of Box<u8> gave the ability to callers
to grow the buffer (indefinitely)
This was regressed in 16fee33368
Additionnaly, use rust WriteZero instead of WouldBlock as a more
fitting error when cursor is full, as that error kind is the
one tested by callers.
(cherry picked from commit f2b6540c52)
Realloc alp_ctx.ctxs when a dynamic alproto is registered and
g_alproto_max increases. So dynamic alproto can be treated as
real/normal ones. And app-layer switch can be set to any value
of no/deteciton-only/yes.
Ticket: 8000
(cherry picked from commit c141c55bc6)
Track what attributes have been logged and skip over duplicate
attributes to avoid having duplicate fields in the JSON object, which
is invalid JSON.
This is lossy, subsequent attributes are lost.
Ticket: #7923
To support alternative cargo and rustc programs (such as cargo-1.82),
respect CARGO and RUSTC environment variables during ./configure much
like CC.
RUSTFMT is also respected as that is required for the tests, and Cargo
can't figure this out like it can for rustc (perhaps a bug in the
packaging).
For cbindgen, we have also have to make sure the cargo environment
variable is set for each invocation.
To build with Ubuntu's Rust 1.82 packaging:
CARGO=cargo-1.82 RUSTC=rustc-1.82 RUSTDOC=rustdoc-1.82 \
./configure
Note that setting RUSTDOC is only required for commands like "make
check" to pass.
Ticket: #7877
Philippe Antoine
Lukas Sismis
Jason Ish
Victor Julien
Giuseppe Longo
Shivani Bhardwaj
Juliana Fajardini
Jhonny Sousa
Jeff Lucovsky
Li Heng
Jason Ish