Some drivers (e.g. BNXT) fail to report stats after the device is
stopped. Move stats collection (DPDKDumpCounters and PrintDPDKPortXstats)
to run before rte_eth_dev_stop() in HandleShutdown.
Also change PrintDPDKPortXstats error handling from FatalError to
graceful return since stats collection failures during shutdown
should not crash the application.
The commit removes ThreadExitPrintStats callback as the function had no
useful features after the stats were moved.
Ticket: 8253
(cherry picked from commit 27f398b5f2)
warning: called `unwrap` on `rd.pipe` after checking its variant with `is_some`
--> src/smb/smb1.rs:858:28
|
857 | if rd.pipe.is_some() {
| -------------------- help: try: `if let Some(<item>) = rd.pipe`
858 | let pipe = rd.pipe.unwrap();
| ^^^^^^^^^^^^^^^^
|
= help: for further information visit https://rust-lang.github.io/rust-clippy/rust-1.93.0/index.html#unnecessary_unwrap
= note: `#[warn(clippy::unnecessary_unwrap)]` on by default
(cherry picked from commit 02cb0f2ac2)
Ticket: 8224
We sometimes set events to the last tx, so we do not have access
to the HtpTxUserData in the caller HTPHandleError
(cherry picked from commit c333b28719)
When in a `base64_decode`-`base64_data` pair the decode was depending
on another match through the relative option, the `buffer_offset` would
be updated to the relative position of the previous match. During the
`base64_data` phase, a relative match would use that offset even though
the match happened in a new buffer.
Example::
http.request_body; content:"|27|"; \
base64_decode:relative; \
base64_data; content:"|ff ff ff ff|"; within:16;
This use of the `buffer_offset` is incorrect as that value is relative
to a buffer and the `base64_data` points to a new buffer.
This patch addresses this by resetting DetectEngineThreadCtx::buffer_offset
before inspecting `base64_data`.
Bug: #7842.
(cherry picked from commit 5f92a6cac3)
16384 is used as the max, but a configuration parameter has been
provided. The reason for setting an upper bound is that bit flags can
create a memory amplification as we parse them into individual data
structures.
Ticket: #8181
(cherry picked from commit 3a32bb5743)
Lower the number of unreplied requests from 500 to 32 to consider a
flood. At the very least this is an anomaly given the DNP3 spec mentions
that DNP3 should only have one outstanding request at a time, with an
exception for unsolicited responses, so in practice no more than 2
should be seen.
Additionally make this value configurable by introducing the max-tx
parameter.
Ticket: #8181
(cherry picked from commit a16f087b93)
Complete is a flag used to tell if the message was completely parsed,
as not all messages may be completely parsed if we don't know all
their objects. However, they are still "done".
In the alstate-progress callback, check the done flag, not the
complete flag.
Ticket: #8181
(cherry picked from commit d61eef9a8a)
DCERPC parsers had no upper bounds when it came to extending the stub
data buffer. Traffic can be crafted to bypass some internal parser
conditions to create an indefinite buffering in the stub_data array that
can make Suricata crash.
Add a default limit of 1MiB and make it configurable for the user.
Security 8182
Co-authored-by: Philippe Antoine <pantoine@oisf.net>
(cherry picked from commit e412215af9)
So far, the alert queue was expanded by doubling in size w/o any
boundary checks in place. This led to situations where doubling
the alert_queue_capacity meant overflow of the very same value
stored in det_ctx.
This led to heap-use-after-free in some conditions where
det_ctx->alert_queue_capacity overflowed.
Fix this by capping the max of alert_queue_capacity by checking if its
expansion could result in an overflow.
Security 8190
(cherry picked from commit ac1eb39418)
Ticket: 8156
In case of non-tx alerts, we try to loop over all the txs to find
the xff header. Do not start from tx_id 0, but from min_id
as AppLayerParserTransactionsCleanup to skip txs that were freed
(cherry picked from commit 3b1a6c1711)
When FlowSwap() reverses the direction of a flow, the MAC address sets
stored in the flow also need to be swapped to maintain consistency with
the new direction. Previously, MAC addresses were not swapped along with
other flow properties like packet/byte counters.
Ticket #8172
(cherry picked from commit f1b9669ed5)
To fix a null ptr deref:
Program received signal SIGSEGV, Segmentation fault.
__strcmp_avx2_rtm () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:115
115 ../sysdeps/x86_64/multiarch/strcmp-avx2.S: No such file or directory.
(gdb) bt
#0 __strcmp_avx2_rtm () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:115
#1 0x000055555568afec in AffinitySetupLoadFromConfig () at util-affinity.c:183
#2 0x0000555555748785 in RunModeInitializeThreadSettings () at runmodes.c:1000
#3 0x0000555555682f51 in SuricataMain (argc=19, argv=<optimized out>) at suricata.c:2979
#4 0x00007ffff6829d90 in __libc_start_call_main (main=main@entry=0x55555567fa20 <main>, argc=argc@entry=19, argv=argv@entry=0x7fffffffe168) at ../sysdeps/nptl/libc_start_call_main.h:58
#5 0x00007ffff6829e40 in __libc_start_main_impl (main=0x55555567fa20 <main>, argc=19, argv=0x7fffffffe168, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe158) at ../csu/libc-start.c:392
#6 0x000055555567f955 in _start ()
(gdb) f 1
#1 0x000055555568afec in AffinitySetupLoadFromConfig () at util-affinity.c:183
183 if (strcmp(affinity->val, "decode-cpu-set") == 0 ||
(gdb) p affinity->val
$1 = 0x0
Introduce KiB, MiB and GiB. They are case sensitive as a lower case 'b'
means bits in the IEEE 1541 scheme.
KiB = 1024
MiB = 1048576
GiB = 1073741824
Ticket: #1457.
(cherry picked from commit 342aec8f1c)
Left the error messages untouched in the backport. So this is more
quietly supporting the new units.
This commit adds the null output device; to use, set the filetype
to "nullsink" for each output that should discard and never persist
logs/alerts/etc.
This is implemented as an "internal eve output plugin" just like the
syslog eve output type.
(cherry picked from commit ad96382cf2)
While debug_validate_bug_on is still used, it does not need to be
imported directly, as that macro is marked with `macro_export`, making
it globally available to the crate.
(cherry picked from commit 50224f2ee5)
Ticket: 3220
DetectSslVersionMatch did not handle properly negation.
It could never match on a signatrue with ssl_version: !tls1.3
That is because, if we had such a signature and network traffic
with tls1.1, we were looking into DetectSslVersionData field
for tls1.1, which was not set, instead of looking at field
for tls1.3 which was set with negated flag.
Previous DetectSslVersionData was holding redundant information.
It did not need to have it for each ssl version, but just globally.
Also, it did not need to hold the version as a value in the array,
as it was redundant with the index of the array.
(cherry picked from commit c93e69830a)
Allow rejecting both sides of a connection. Has the same support
as regular reject (which is essentially rejectsrc).
Ticket: #5974.
(cherry picked from commit 4905f38470)
The `stats.capture` object may have different properties based on the
capture method used.
This adds the ones pertaining to AF_PACKET capture.
Related to
Task #6434
(cherry-picked from commit 2855574a2c)
While the counters exist, they're not present in the schema, causing
validation to fail if stats.stream-events is enabled.
Task #7858
(cherry picked from commit 025ffa6135)
The schema accounts for a stats counters group that is a subgroup of the
flows stats counters. Remove `flow_mgr`, thus.
(cherry-picked from commit 173fec81f8)
In `add-hostbit`, `remove-hostbit` and `list-hostbit` commands, the IPv6
address parsing was not using the correct variable:
from /usr/include/dirent.h:25,
from suricata-common.h:73,
from runmode-unix-socket.c:18:
In function ‘inet_pton’,
inlined from ‘UnixSocketHostbitAdd’ at runmode-unix-socket.c:1316:13:
/usr/include/x86_64-linux-gnu/bits/inet-fortified.h:56:10: warning: call to ‘__inet_pton_chk_warn’ declared with attribute warning: inet_pton called with a destination buffer size too small [-Wattribute-warning]
56 | return __glibc_fortify (inet_pton, __sz, sizeof (char),
| ^~~~~~~~~~~~~~~
In function ‘inet_pton’,
inlined from ‘UnixSocketHostbitRemove’ at runmode-unix-socket.c:1403:13:
/usr/include/x86_64-linux-gnu/bits/inet-fortified.h:56:10: warning: call to ‘__inet_pton_chk_warn’ declared with attribute warning: inet_pton called with a destination buffer size too small [-Wattribute-warning]
56 | return __glibc_fortify (inet_pton, __sz, sizeof (char),
| ^~~~~~~~~~~~~~~
In function ‘inet_pton’,
inlined from ‘UnixSocketHostbitList’ at runmode-unix-socket.c:1476:13:
/usr/include/x86_64-linux-gnu/bits/inet-fortified.h:56:10: warning: call to ‘__inet_pton_chk_warn’ declared with attribute warning: inet_pton called with a destination buffer size too small [-Wattribute-warning]
56 | return __glibc_fortify (inet_pton, __sz, sizeof (char),
| ^~~~~~~~~~~~~~~
Bug: #8102.
(cherry picked from commit 874a0e8d3d)
In file included from decode.h:33,
from host.h:27,
from util-threshold-config.c:34:
util-threshold-config.c: In function 'SCThresholdConfInitContext':
util-debug.h:260:5: warning: '%s' directive argument is null [-Wformat-overflow=]
260 | SCLogErr(SC_LOG_WARNING, __FILE__, __FUNCTION__, __LINE__, _sc_module, __VA_ARGS__)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
util-threshold-config.c:190:9: note: in expansion of macro 'SCLogWarning'
190 | SCLogWarning("Error loading threshold configuration from %s", filename);
| ^~~~~~~~~~~~
util-threshold-config.c:190:66: note: format string is defined here
190 | SCLogWarning("Error loading threshold configuration from %s", filename);
| ^~
(cherry picked from commit 3a0f4dde07)
Philippe Antoine
Lukas Sismis
Victor Julien
Shivani Bhardwaj
Jason Ish
Giuseppe Longo
Jeff Lucovsky
Juliana Fajardini