Commit Graph

87 Commits (be9cd0fd843f1e412bceb3a86b0ad4e5cb7b0782)

Author SHA1 Message Date
Arturo Borrero Gonzalez 221cb93024 src/: fix typo: receieved vs received
Reported by Debian's lintian tool.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
9 years ago
Jason Ish 796dd5223b tests: no longer necessary to provide successful return code
1 pass, 0 is fail.
9 years ago
Victor Julien ef6f347f84 detect-address: remove sgh pointer as it's unused 9 years ago
Victor Julien 9bd8197009 detect-address: remove debug mem counters 9 years ago
Victor Julien a7d126738a detect address: remove unused features 9 years ago
Alexander Gozman 69785f186c BUG #1689: fix stack overflow when parsing variables
Suricata crashed when variable (either address or port)
referred to itself or if one created a looped chain of
variables. For instance:

HOME_NET:     "!$EXTERNAL_NET"
EXTERNAL_NET: "!$HOME_NET"

Or:

Var1: "$Var2"
Var2: "$Var3"
Var3: "$Var1"
10 years ago
Alexander Gozman 45ba20bcb0 DetectAddressParseString(): fix IPv6 address handling 10 years ago
Victor Julien 0bc27c7dc7 rule-vars: take detect engine as arg 11 years ago
Victor Julien 2be9ccfe9c detect: pass DetectEngineCtx to address parsing
Preparation for prefix handling in address parsing.
11 years ago
bmeeks8 61a9739f44 Bug fix: IPv6 addresses in negated range and IPv6 string into radix tree.
I found three somewhat serious IPv6 address bugs within the Suricata 2.0.x source code. Two are in the source module "detect-engine-address.c", and the third is in "util-radix-tree.c".

The first bug occurs within the function DetectAddressParse2(). When parsing an address string and a negated block is encountered (such as when parsing !$HOME_NET, for example), any corresponding IPv6 addresses were not getting added to the Group Heads in the DetectAddressList. Only IPv4 addresses were being added.

I discovered another bug related to IPv6 address ranges in the Signature Match Address Array comparison code for IPv6 addresses. The function DetectAddressMatchIPv6() walks a signature's source or destination match address list comparing each to the current packet's corresponding address value. The match address list consists of value pairs representing a lower and upper IP address range. If the packet's address is within that range (including equal to either the lower or upper bound), then a signature match flag is returned.

The original test of each signature match address to the packet was performed using a set of four compounded AND comparisons looking at each of the four 32-bit blocks that comprise an IPv6 address. The problem with the old comparison is that if ANY of the four 32-bit blocks failed the test, then a "no-match" was returned. This is incorrect. If one or more of the more significant 32-bit blocks met the condition, then it is a match no matter if some of the less significant 32-bit blocks did not meet the condition. Consider this example where Packet represents the packet address being checked, and Target represents the upper bound of a match address pair. We are testing if Packet is less than Target.

Packet -- 2001:0470 : 1f07:00e2 : 1988:01f1 : d468:27ab
Target -- 2001:0470 : 1f07:00e2 : a48c:2e52 : d121:101e

In this example the Packet's address is less than the target and it should give a match. However, the old code would compare each 32-bit block (shown spaced out above for clarity) and logically AND the result with the next least significant block comparison. If any of the four blocks failed the comparison, that kicked out the whole address. The flaw is illustrated above. The first two blocks are 2001:0470 and 1f07:00e2 and yield TRUE; the next less significant block is 1988:01f1 and a48c:2e52, and also yields TRUE (that is, Packet is less than Target); but the last block compare is FALSE (d468:27ab is not less than d121:101e). That last block is the least significant block, though, so its FALSE determination should not invalidate a TRUE from any of the more significant blocks. However, in the previous code using the compound logical AND block, that last least significant block would invalidate the tests done with the more significant blocks.

The other bug I found for IPv6 occurs when trying to parse and insert an IPv6 address into a Radix Tree using the function SCRadixAddKeyIPV6String(). The test for min and max values for an IPv6 CIDR mask incorrectly tests the upper limit as 32 when it should be 128 for an IPv6 address. I think this perhaps is an old copy-paste error if the IPv6 version of this function was initially copied from the corresponding IPv4 version directly above it in the code. Without this patch, the function will return null when you attempt to add an IPv6 network whose CIDR mask is larger than 32 (for example, the popular /64 mask will cause the function to return the NULL error condition).

(amended by Victor Julien)
11 years ago
Ken Steele 8f1d75039a Enforce function coding standard
Functions should be defined as:

int foo(void)
{
}

Rather than:
int food(void) {
}

All functions where changed by a script to match this standard.
11 years ago
Victor Julien 1ac805f1b3 Fix address parsing issues
Fix issue where negating a range containing a negation would fail.

E.g. HOME_NET: [192.168.0.0/16,!192.168.10.0], can be used in a rule
     as !$HOME_NET.

Also, fix another parsing issue:

If the negation range would be bigger than the 'positive' range, parsing
wouldn't be correct. Now this case is rejected.

E.g. [192.168.1.3,!192.168.0.0/16] is now explicitly rejected

Ticket 1079.
12 years ago
Victor Julien 2ce8895f0a address and port: reduce memory allocs 12 years ago
Victor Julien 27ea4232fe Coverity 1038134 fix
Cleaned up error check. "ipdup" can only be non-NULL there, so remove check
that confused coverity.
12 years ago
Anoop Saldanha e2f4144d99 fix for #920.
Cull the space before the address specified in address var variables.
12 years ago
Victor Julien 1b363ecb1d Fix test AddressTestParse36 on Big Endian systems 13 years ago
Victor Julien d0c1410cf5 Fix sig grouping bug when certain sigs are mixed. Add tests. 13 years ago
Anoop Saldanha f59ce70c17 fix for #694.
Invalidate any address/port vars in the conf that uses a sequence
without quotes.
13 years ago
Anoop Saldanha 51868f17ae unittest to show the seg fault from bug_694 13 years ago
Last G 8ae11f73b2 Added parentheses to fix Eclipse static code analysis
Fixed bug in action priority (REJECT_DST had lowest prio)
13 years ago
Victor Julien 84bad6db77 Silence compiler warnings found by clang 13 years ago
Victor Julien c3f4f8d46a Dead code cleanup. Coverity 728047, 728048, 728049. 13 years ago
Eric Leblond e176be6fcc Use unlikely for error treatment.
When handling error case on SCMallog, SCCalloc or SCStrdup
we are in an unlikely case. This patch adds the unlikely()
expression to indicate this to gcc.

This patch has been obtained via coccinelle. The transformation
is the following:

@istested@
identifier x;
statement S1;
identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)";
@@

x = func(...)
... when != x
- if (x == NULL) S1
+ if (unlikely(x == NULL)) S1
13 years ago
Eric Leblond d292004880 Add some missing checks of SCStrdup return. 13 years ago
Victor Julien 5e95524122 Improve error reporting in case of syntax errors in the address and port vars. 13 years ago
Anoop Saldanha 4689783342 bug #454 - rebase fix. Also use better error code to indicate invalid address var yaml entry 13 years ago
Anoop Saldanha b3660dc5db bug #454 - add unittests for the address/port conf var validation function 13 years ago
Anoop Saldanha 678763c3f4 bug #454 - global check to see if address and port vars are properly configured 13 years ago
Anoop Saldanha d39b7b72bd Add a nice error message when we exceeded address buffer limit for a rule 13 years ago
Anoop Saldanha 7495f59773 bug #451 fix for parsing address. Increase buffer size 13 years ago
Victor Julien 36c83f2651 Minor textual update. 13 years ago
Anoop Saldanha 0da93e84ca bug 454 - Provide better error message when the user supplies a NULL address range 13 years ago
Victor Julien e237841a8e Fix compilation with profiling enabled. Minor unittest fixes. 14 years ago
Anoop Saldanha e682796d03 feature #414 - support listing supported keywords. Remove support for dummy keywords __address__, __proto__, __port__. Remove support for recursive keyword and all references to it 14 years ago
Victor Julien c4b34e6ef7 Fix various minor clang/scan-build warnings. 14 years ago
Victor Julien bfff14aa78 Improve error detection in the port and address parsing in signatures. Bug #295. 14 years ago
Victor Julien 60887131be Fix minor address parsing compiler warning. 14 years ago
Eric Leblond 8ff8ec4f82 Export some DetectAddress related function. 14 years ago
Eric Leblond 85e8d8e200 Add sanity check to DetectAdressParse.
The function is only used at parsing time, this is not costly to add
a simple sanity check.
14 years ago
Eric Leblond 6b9d1012ff Transform inet_ntop call into PrintInet one. 14 years ago
Victor Julien 92536c4952 Fix address test on big-endian. 15 years ago
Victor Julien b8cf50678f Fix many address unittests using explicit byte order and thus failing on big-endian systems. 15 years ago
Victor Julien 014f62247a Another batch of clang fixes. Nothing really serious. Includes a couple of fixes for broken fixes from yesterday. 15 years ago
Victor Julien 102092a89c Make signature address matching more cache efficient. 15 years ago
Victor Julien 1eec149f5e Use Address structure in DetectAddress struct. 15 years ago
William Metcalf afa8a2b8ba Null deref fixe for detect-engine-address.c 15 years ago
Gerardo Iglesias Galvan 9f4fae5b1a Fix inconsistent use of dynamic memory allocation 15 years ago
Victor Julien 46831e0f8f Fix signature grouping bug for protocols without ports. Add debugging code. 15 years ago
Victor Julien a372c1d14e Fix/workaround a strange detection issue. 15 years ago
William Metcalf ce01927515 Import of GPLv2 Header 050410 15 years ago