Commit Graph

18967 Commits (5db471500c69890d01e4b61bd15f9ac16695c83b)
 

Author SHA1 Message Date
Philippe Antoine 5db471500c rust/ffi: remove altemplate plugin last dependency on suricata crate
Ticket: 7666
2 months ago
Philippe Antoine b90adcc2bb rust/ffi: move AppLayerTxData to ffi
Ticket: 7666
2 months ago
Philippe Antoine bce88dd83f rust: build depends on ffi/Cargo.toml.in 2 months ago
Philippe Antoine 0773fba5fd rust/ffi: move txdata flags to ffi
Ticket: 7666
2 months ago
Philippe Antoine 2525ea2e37 rust/ffi: move direction to ffi
Ticket: 7666
2 months ago
Philippe Antoine 5440e41314 rust/ffi: move debug validations macros to ffi
Ticket: 7666
2 months ago
Philippe Antoine 6dff07b631 detect/lua: remove unused macros 2 months ago
Andreas Dolp 2f972b6759 doc: improve manpage of suricatasc
- describe all options
- describe optional socket path

Redmine ticket: #8563
2 months ago
Victor Julien 95b7f2b998 scan-build: support taint filtering
Support scan-build's taint filtering logic. Adds a yaml config to mark
a dedicated debug validation function as filtering a taint.

Use to suppress warnings in reference, threshold and classification file
handling.

Ticket: #3153.
2 months ago
Victor Julien fbaaa9dcae github-actions: update scan-build to clang-22
Run it on Ubuntu 26.04.

Update enabled checkers.

Ticket: #3153.
2 months ago
Victor Julien 524503b572 detect/prefilter: rewrite loop to assist scan-build
Also address a theoretical edge case where memory allocation failure
could lead to overrunning the sids array.
2 months ago
Victor Julien e5650ebcbd scan-build: suppress more warnings 2 months ago
Victor Julien 02f6a4fd87 detect: work around scan-build warning
detect-engine.c:2350:69: warning: Out of bound access to memory after the end of 'new_det_ctx' [security.ArrayBound]
 2350 |             FlowWorkerReplaceDetectCtx(SC_ATOMIC_GET(s->slot_data), new_det_ctx[i]);
      |                                                                     ^~~~~~~~~~~~~~
1 warning generated.
2 months ago
Victor Julien dc6696ac04 bpf: work around scan-build warning
suricata.c:574:5: warning: Potential out of bound access to the heap area with tainted index [security.ArrayBound]
  574 |     bpf_filter[nm] = '\0';
      |     ^~~~~~~~~~~~~~
1 warning generated.
2 months ago
Victor Julien 06dcb5aeb0 detect/flowbits: fix scan-build 0-size alloc warning
detect-flowbits.c:761:29: warning: Call to 'calloc' has an allocation size of 0 bytes [optin.portability.UnixAPI]
  761 |                             SCCalloc(sids_array_size, sizeof(uint32_t));
      |                             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./util-mem.h:36:18: note: expanded from macro 'SCCalloc'
   36 | #define SCCalloc calloc
      |                  ^
1 warning generated.
2 months ago
Victor Julien 0c9e17b454 detect/file.data: suppress scan-build false positive 2 months ago
Victor Julien af937f61dc defrag: rearrange Frag struct to save 8 bytes
Avoid large gaps in the layout.
2 months ago
Victor Julien 9d693a72b6 stream: minor code cleanups 2 months ago
Victor Julien 24e7f3439e stream: don't double check pointer
Checked right above it as well.
2 months ago
Victor Julien d17c0bf096 stream: remove error messages in the packet path
Would only happen during allocation failure.
2 months ago
Victor Julien 2bcebe5285 stream: avoid double memset
Already done by StreamTcpThreadCacheGetSegment().
2 months ago
Victor Julien 474788fd49 pool: remove InitData argument
Only used in unittests.

Update Init callback and update callers.
2 months ago
Victor Julien dc05422769 defrag: remove pool Init callback
Built-in callback does the same thing (memset).
2 months ago
Victor Julien a27b9a6c49 defrag: remove unused InitData argument 2 months ago
Victor Julien af6ec14688 pool/thread: remove unused InitData argument
Only used in unittests, not by production code.
2 months ago
Victor Julien d0ad6ddf19 pool: remove unused Free callback
Not used so not tested.
2 months ago
Victor Julien d4575f5765 pool/thread: remove unused Free callback
Not used so not tested.
2 months ago
Victor Julien 4624028722 pool: fix scan-build warnings
util-pool.c:60:28: warning: Subtraction of a non-null pointer (from variable 'data') and a null pointer (via field 'data_buffer') results in undefined behavior [core.NullPointerArithm]
   60 |     ptrdiff_t delta = data - p->data_buffer;
      |                       ~~~~ ^    ~~~~~~~~~~~
util-pool.c:257:13: warning: Argument to 'free()' is offset by 24 bytes from the start of memory allocated by 'calloc()' [unix.Malloc]
  257 |             SCFree(pb);
      |             ^~~~~~~~~~
./util-mem.h:38:16: note: expanded from macro 'SCFree'
   38 | #define SCFree free
      |                ^
util-pool.c:262:9: warning: Attempt to release already released memory [unix.Malloc]
  262 |         SCFree(p->pb_buffer);
      |         ^~~~~~~~~~~~~~~~~~~~
./util-mem.h:38:16: note: expanded from macro 'SCFree'
   38 | #define SCFree free
      |                ^
3 warnings generated.

Also, after fixing these, this one came up.

  CC       util-pool.o
util-pool.c:244:9: warning: Attempt to release already released memory [unix.Malloc]
  244 |         SCFree(p->data_buffer);
      |         ^~~~~~~~~~~~~~~~~~~~~~
./util-mem.h:38:16: note: expanded from macro 'SCFree'
   38 | #define SCFree free
      |                ^
1 warning generated.

Address this as well.
2 months ago
Philippe Antoine bf64b52b95 http2: better compression against decompression bombs
Ticket: 8513

Suricata decides at 2 levels if a http2 flow is doing a compression
bomb.

There is a direct computation when one chunk of TCP data
is being parsed.
In this case, do not take the ratio into account, just use the size
of the decompressed data, so that if we get a big chunk of TCP data
like 1 MiB, and a not so high ratio of 200, we do not trigger
the debug assertion in util-file.c about 64MiB

The other case stays unchanged : when accumulating over the lifetile of
a flow with multiple txs, take into account the compression ratio,
so that a flow of many txs, having a super high (brotli) compression
ratio, ends up classified as a compression bomb.
(For example, having 100 txs each turning a 100 byte input into a 700 KiB
one)
2 months ago
Philippe Antoine 9aaa6f7854 http1: do not re-parse Content-Disposition header
Ticket: 8529

When Suricata handles a HTTP1 response body, it does so with a
file, and tries to get the filename from the Content-Disposition
header if any, then from the uri.

If it failed to find a file name, it tried again every time
there was new data from the response body, even if there was
no new data to find a file name in either the header nor the uri.

This causes a slowdown in the case the Content-Disposition header
is big.

Fix is to set the flag on the first call of the callback, to be
sure that we will parse the Content-Disposition header for a
filename header only once per http1 response.
2 months ago
Philippe Antoine 6d437956e2 detect/transforms: dotprefix can be chained
Ticket: 8537

Otherwise, it may cause a use-after-free, in case of reallocated
buffer and we used the buffer inspect which was freed.
2 months ago
Philippe Antoine 2b20a436e7 detect/transforms: decompress checks earlier if it is in-place
Ticket: 8536

Otherwise, it may cause a use-after-free.

So, need to allocate the temporary vector, before calling
SCInspectionBufferCheckAndExpand
2 months ago
Philippe Antoine 4c42998feb detect/engine: helper to know if a transform happens in-place 2 months ago
Philippe Antoine 7bf48b02be http2: protection against decompression bombs
Ticket: 8513

During decompression, fail early if we have a big decompression
ratio, and enough data.
Track this data also during a tx lifetime, and even a flow/state
lifetime, so that we set event and fail also if the compression
bomb is split over multiple packets
2 months ago
Philippe Antoine 29e4b08647 http2: code refactoring to split big function 2 months ago
Jeff Lucovsky 1dc629d978 defrag: release tracker lock before decoding reassembled packet
Decoding the reassembled packet inside DefragInsertFrag while holding
the tracker mutex creates a deadlock situation if the reassembled packet
contains tunneled fragments: two threads could each hold one tracker
mutex and deadlock on the other. Move the decode in Defrag() after
DefragTrackerRelease() so no lock is held during decode (and possibly
re-entering the defrag system).

Make sure to fetch tracker->ip_hdr_offset after DefragInsertFrag since
it may be written during that call if the first fragment arrives last.

Issue: 8550
2 months ago
Philippe Antoine 7a9fc64882 detect/lua: move allow_restricted_functions out of struct
Ticket: 8556

Allows hardening against buffer overflos in the structure.
Reduces the scope of the variable.
2 months ago
Philippe Antoine 0b239c4848 lua: add bounds checks for flowints and flowvars
Ticket: 8556
2 months ago
Philippe Antoine e98d419d96 ldap: bound the number of responses
Ticket: 8405
2 months ago
Jason Ish 078c08d84b dnp3: bound response reassembly
Ticket: 8460
2 months ago
Philippe Antoine 38d41e6fa6 dnp3: fix off-by-one in array sizes
So that we can write a final zero without overflowing the array
and relying on padding to avoid further problems

Ticket: 8448
2 months ago
Philippe Antoine c25ccd299e dnp3: explicit application layer length is bounded in uint16_t
Ticket: 8460
2 months ago
Philippe Antoine 658684a252 dnp3: bounds reassembly
Ticket: 8460
2 months ago
Philippe Antoine c977b2f31b frames: make sure we use a lowercase buffer name
Ticket: 8526

As some C protocols accepted case-insensitive frame names,
a rule using the same frame twice with different cases,
ended up using 2 different buffers,
which ended up in triggering a buffer overflow
2 months ago
Victor Julien 6ebd0c3cc2 http2: check for HTTP1 protocol during upgrade path
Ticket: 8492
2 months ago
Jason Ish 2d6c3213ae lua: enforce allocation limit on first alloc
Instead of just on re-alloc.

Ticket: #8507
2 months ago
Philippe Antoine 24527d662a defrag: check tracker/packet family in compare
Ticket: 8510

Without this check, in case of a hash collision, and the other
fields are equal, we could end up consider adding an IPv6 packet
to a IPv4 tracker (or vice versa).

Doing so, we end up interpreting an IPv6 packet as an IPv4 one,
and we do not benefit from the bounds checks from ipv4/ipv6 decoder.
2 months ago
Jason Ish 74eb82a8a5 datasets: fix path setup when load and save used with different paths
If load and save were used in the same rule with different paths, proper path
setup was skipped.

Ticket: #8546
2 months ago
Philippe Antoine 10bde66586 nfs: bound file_additional_procs to 1
Ticket: 8418

As we only need to know we saw at least one NFSPROC3_COMMIT
2 months ago
Philippe Antoine aea7ee21b8 nfs: bound namemap by using lru
Ticket: 8418
2 months ago