detect: set event if max inspect buffers exceeded

If a parser exceeds 1024 buffers we stop processing them and
set a detect event instead. This is to avoid parser bugs as well as
crafted bad traffic leading to resources starvation due to excessive
loops.
pull/6261/head
Victor Julien 4 years ago
parent 3dc50322db
commit e611adf3dc

@ -121,6 +121,10 @@ SCEnumCharMap det_ctx_event_table[] = {
{ "LZMA_DATA_ERROR", FILE_DECODER_EVENT_LZMA_DATA_ERROR },
{ "LZMA_BUF_ERROR", FILE_DECODER_EVENT_LZMA_BUF_ERROR },
{ "LZMA_UNKNOWN_ERROR", FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR },
{
"TOO_MANY_BUFFERS",
DETECT_EVENT_TOO_MANY_BUFFERS,
},
{ NULL, -1 },
};
@ -1027,6 +1031,11 @@ static InspectionBufferMultipleForList *InspectionBufferGetMulti(
InspectionBuffer *InspectionBufferMultipleForListGet(
DetectEngineThreadCtx *det_ctx, const int list_id, const uint32_t local_id)
{
if (unlikely(local_id >= 1024)) {
DetectEngineSetEvent(det_ctx, DETECT_EVENT_TOO_MANY_BUFFERS);
return NULL;
}
InspectionBufferMultipleForList *fb = InspectionBufferGetMulti(det_ctx, list_id);
if (local_id >= fb->size) {

@ -1225,6 +1225,8 @@ enum {
FILE_DECODER_EVENT_LZMA_DATA_ERROR,
FILE_DECODER_EVENT_LZMA_BUF_ERROR,
FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR,
DETECT_EVENT_TOO_MANY_BUFFERS,
};
#define SIG_GROUP_HEAD_HAVERAWSTREAM BIT_U32(0)

Loading…
Cancel
Save