From 10c93221faf841e0819c4d84604ced63500fd1e1 Mon Sep 17 00:00:00 2001
From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Fri, 16 Dec 2016 13:04:03 +0100
Subject: [PATCH] tls: increase max number of tls records per packet

Tls packets may contain several records. This increase the number
of allowed records per packet from 30 to 255, and adds a new and
more informative decoder event when this limit is reached.
---
 rules/tls-events.rules | 3 ++-
 src/app-layer-ssl.c    | 8 ++++++--
 src/app-layer-ssl.h    | 1 +
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/rules/tls-events.rules b/rules/tls-events.rules
index f22b1fed93..2555f18952 100644
--- a/rules/tls-events.rules
+++ b/rules/tls-events.rules
@@ -26,5 +26,6 @@ alert tls any any -> any any (msg:"SURICATA TLS multiple SNI extensions"; flow:e
 alert tls any any -> any any (msg:"SURICATA TLS invalid SNI type"; flow:established,to_server; app-layer-event:tls.invalid_sni_type; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230017; rev:1;)
 alert tls any any -> any any (msg:"SURICATA TLS invalid SNI length"; flow:established,to_server; app-layer-event:tls.invalid_sni_length; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230018; rev:1;)
 alert tls any any -> any any (msg:"SURICATA TLS handshake invalid length"; flow:established; app-layer-event:tls.handshake_invalid_length; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230019; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS too many records in packet"; flow:established; app-layer-event:tls.too_many_records_in_packet; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230020; rev:1;)
 
-#next sid is 2230020
+#next sid is 2230021
diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index 5de302ed87..6483f224d6 100644
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -67,6 +67,7 @@ SCEnumCharMap tls_decoder_event_table[ ] = {
     { "MULTIPLE_SNI_EXTENSIONS",     TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS },
     { "INVALID_SNI_TYPE",            TLS_DECODER_EVENT_INVALID_SNI_TYPE },
     { "INVALID_SNI_LENGTH",          TLS_DECODER_EVENT_INVALID_SNI_LENGTH },
+    { "TOO_MANY_RECORDS_IN_PACKET",  TLS_DECODER_EVENT_TOO_MANY_RECORDS_IN_PACKET },
     /* certificate decoding messages */
     { "INVALID_CERTIFICATE",         TLS_DECODER_EVENT_INVALID_CERTIFICATE },
     { "CERTIFICATE_MISSING_ELEMENT", TLS_DECODER_EVENT_CERTIFICATE_MISSING_ELEMENT },
@@ -131,6 +132,8 @@ SslConfig ssl_config;
 #define TLS_HB_REQUEST                  1
 #define TLS_HB_RESPONSE                 2
 
+#define SSL_PACKET_MAX_RECORDS        255
+
 #define HAS_SPACE(n) ((uint32_t)((input) + (n) - (initial_input)) > (uint32_t)(input_len)) ?  0 : 1
 
 static void SSLParserReset(SSLState *ssl_state)
@@ -1365,11 +1368,12 @@ static int SSLDecode(Flow *f, uint8_t direction, void *alstate, AppLayerParserSt
 
     /* if we have more than one record */
     while (input_len > 0) {
-        if (counter++ == 30) {
+        if (counter++ == SSL_PACKET_MAX_RECORDS) {
             SCLogDebug("Looks like we have looped quite a bit. Reset state "
                        "and get out of here");
             SSLParserReset(ssl_state);
-            SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_SSL_RECORD);
+            SSLSetEvent(ssl_state,
+                        TLS_DECODER_EVENT_TOO_MANY_RECORDS_IN_PACKET);
             return -1;
         }
 
diff --git a/src/app-layer-ssl.h b/src/app-layer-ssl.h
index 31ca913e74..1a8a0a2ec2 100644
--- a/src/app-layer-ssl.h
+++ b/src/app-layer-ssl.h
@@ -46,6 +46,7 @@ enum {
     TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS,
     TLS_DECODER_EVENT_INVALID_SNI_TYPE,
     TLS_DECODER_EVENT_INVALID_SNI_LENGTH,
+    TLS_DECODER_EVENT_TOO_MANY_RECORDS_IN_PACKET,
     /* Certificates decoding messages */
     TLS_DECODER_EVENT_INVALID_CERTIFICATE,
     TLS_DECODER_EVENT_CERTIFICATE_MISSING_ELEMENT,