A bad timestamp would lead to SCLocalTime returning NULL. This case
wasn't checked, leading to a NULL deref.
Reported-by: Kostya Kortchinsky of the Google Security Team
Due to an error at initialization, the stream engine would not disable
'raw' reassembly automatically when --disable-detection was used.
This lead to segments not getting cleared from the segment lists.
If the capture method would offer the packets of a new flow to a
different thread, and this flow would still be in use for the previous
TCP session, a deadlock could happen.
Suricata didn't consider a flow to be timed out, while the capture
method considered it to be a new session that could be send to a
different thread.
This patch defers the flow's de_state cleanup to the next 'Detect()'
invocation, so that we preserve the proper locking order.
The alert-debuglog writer for non-decoder events was writing
directly to the log file so the write wrapper was not checking
for file rotation like it would in the decoder event case.
This will prevent log files that have not been rotated by some
external tool from being deleted, but log files that were
rotated (moved out of the way) will be re-opened.
This is a better default behaviour, especially when not all
log files are rotated at the same time.
Thanks to iro on IRC.
On midstream SYN/ACK pickups, we would flip the direction of packets
after the first. This meant the first (pickup) packet's direction
was wrong.
This patch fixes that.
The HTTP tracking code would parse the content lenght and store it
in the TX user data. It didn't take the possibility or errors into
account though, leading to a possible negative int being cases to
unsigned int. Luckily, the result was unused.
This patch simply removes the offending code.
Reported-by: The Yahoo pentest team
Fix error handling of stub parsers. In case of SCRealloc error the
function would return a non-error code. This could possibly lead to
memory corruption.
Reported-By: The Yahoo pentest team
cc1: warnings being treated as errors
app-layer-smtp.c: In function ‘SMTPParseCommandBDAT’:
app-layer-smtp.c:639: warning: dereferencing type-punned pointer will break strict-aliasing rules
make[3]: *** [app-layer-smtp.o] Error 1
FilePrune would clear the files, but not free them and remove them
from the list. This lead to ever growing lists in some cases.
Especially in HTTP sessions with many transactions, this could slow
us down.
Work around OS X 10.10 Yosemite returning EDEADLK on a rwlock wrlocked
then tested by wrtrylock. All other OS' (and versions of OS X that I
tested) seem to return EBUSY instead.
MemcmpLowercase would not compare the first byte of both input buffers
leading to two non-identical buffers to be considered the same.
Tile version is not affected.
** CID 1257764: Dereference after null check (FORWARD_NULL)
/src/defrag.c: 291 in Defrag4Reassemble()
** CID 1257763: Dereference after null check (FORWARD_NULL)
/src/defrag.c: 409 in Defrag6Reassemble()
In the error case 'rp' can be both NULL or non-NULL.
This patches is fixing a issue in the OutputJSONBuffer function. It
was writing to file the content of the buffer starting from the start
to the final offset. But as the writing is done for each JSON string
we are duplicating the previous events if we are reusing the same
buffer.
Duplication was for example triggered when we have multiple alerts
attached to a packet. In the case of two alerts, the first one was
logged twice more as the second one.
This si almost the same code as the one of master but it fixes a
conflict during cherry picking in:
src/output-json-alert.c
Victor Julien
Pierre Chifflier
Alexander Gozman
Jason Ish
Jason Ish
Eric Leblond
Ken Steele