diff --git a/src/suricata.c b/src/suricata.c index f964af3f8f..0dbce74adc 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -1057,6 +1057,7 @@ int main(int argc, char **argv) AppLayerHtpRegisterExtraCallbacks(); SCThresholdConfInitContext(de_ctx,NULL); + SCAsn1LoadConfig(); struct timeval start_time; memset(&start_time, 0, sizeof(start_time)); diff --git a/src/util-decode-asn1.c b/src/util-decode-asn1.c index 694a20fabc..093cec5989 100644 --- a/src/util-decode-asn1.c +++ b/src/util-decode-asn1.c @@ -31,7 +31,20 @@ #include "util-print.h" #include "util-decode-asn1.h" +#include "conf.h" +uint16_t asn1_max_frames_config = ASN1_MAX_FRAMES; + +void SCAsn1LoadConfig() { + intmax_t value = 0; + + /** set config defaults */ + if ((ConfGetInt("asn1_max_frames", &value)) == 1) { + asn1_max_frames_config = (uint16_t)value; + SCLogDebug("Max stack frame set to %"PRIu16, asn1_max_frames_config); + } + +} /** * \brief Decode and check the identifier information of the @@ -325,10 +338,19 @@ uint8_t SCAsn1CheckBounds(Asn1Ctx *ac) { Asn1Ctx *SCAsn1CtxNew(void) { Asn1Ctx *ac = SCMalloc(sizeof(Asn1Ctx)); - if (ac == NULL) + if (ac == NULL) { + SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory"); return NULL; - + } memset(ac, 0, sizeof(Asn1Ctx)); + + ac->asn1_stack = SCMalloc(sizeof(Asn1Node *) * asn1_max_frames_config); + if (ac->asn1_stack == NULL) { + SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory"); + return NULL; + } + memset(ac->asn1_stack, 0, sizeof(Asn1Node *) * asn1_max_frames_config); + return ac; } @@ -361,10 +383,14 @@ void SCAsn1CtxDestroy(Asn1Ctx *ac) { * \retval Asn1Node pointer to the new node allocated */ Asn1Node *SCAsn1CtxNewFrame(Asn1Ctx *ac, uint16_t node) { + if (node >= asn1_max_frames_config) { + return NULL; + } + if (ac->asn1_stack[node] == NULL) ac->asn1_stack[node] = SCMalloc(sizeof(Asn1Node)); - if (ac->asn1_stack[node] == NULL) + if (&ac->asn1_stack[node] == NULL) return NULL; memset(ac->asn1_stack[node], 0, sizeof(Asn1Node)); @@ -404,7 +430,7 @@ uint8_t SCAsn1Decode(Asn1Ctx *ac, uint16_t node_id) { /* while remaining data, and no fatal error, or end, or max stack frames */ while (ac->iter < ac->end && !(ac->parser_status & ASN1_STATUS_DONE) - && ac->cur_frame < ASN1_MAX_FRAMES) + && ac->cur_frame < asn1_max_frames_config) { /* Prepare a new frame */ if (SCAsn1CtxNewFrame(ac, node_id) == NULL) diff --git a/src/util-decode-asn1.h b/src/util-decode-asn1.h index 435253259a..d3ff9a3e86 100644 --- a/src/util-decode-asn1.h +++ b/src/util-decode-asn1.h @@ -181,8 +181,9 @@ typedef struct Asn1Ctx_ { uint8_t *iter; - uint8_t cur_frame; - Asn1Node *asn1_stack[ASN1_MAX_FRAMES]; + uint16_t cur_frame; + Asn1Node *asn1_stack2[ASN1_MAX_FRAMES]; + Asn1Node **asn1_stack; uint8_t parser_status; @@ -213,6 +214,7 @@ uint8_t SCAsn1DecodeContent(Asn1Ctx *); uint8_t SCAsn1CheckBounds(Asn1Ctx *); void DecodeAsn1RegisterTests(void); +void SCAsn1LoadConfig(); #endif /* __DECODE_ASN1_H__ */ diff --git a/suricata.yaml b/suricata.yaml index e750af9b12..46aac3209c 100644 --- a/suricata.yaml +++ b/suricata.yaml @@ -473,6 +473,10 @@ host-os-policy: vista: [] windows2k3: [] + +# Limit for the maximum number of asn1 frames to decode (default 256) +asn1_max_frames: 256 + ########################################################################### # Configure libhtp. #