Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Batch backports to master-5.0.x #6384

Closed
wants to merge 8 commits into from
Closed

Batch backports to master-5.0.x #6384

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
87a8234
counters: only print alerts if stats are enabled
inashivb Jun 21, 2021
ee04eb7
dnp3: use base64 macro in gen script
catenacyber Jul 8, 2021
6a48ea8
dnp3: adds bounds check for prefix chararray
catenacyber Jul 8, 2021
b46cc1e
dnp3: regenerate object decoding code
catenacyber Jul 8, 2021
f509f7c
streaming/buffer: account sbb data size
victorjulien Jun 4, 2021
78f9355
app-layer/pd: only consider actual available data
victorjulien Apr 21, 2021
b1a30b3
app-layer/pd: review bailout conditions
catenacyber Jun 9, 2021
cd083dd
stream: update memcaps in code to match config
victorjulien Jul 1, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion scripts/dnp3-gen/dnp3-gen.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,7 @@
json_object_set_new(js, "{{field.name}}",
json_real(data->{{field.name}}));
{% elif field.type == "bytearray" %}
unsigned long {{field.name}}_b64_len = data->{{field.len_field}} * 2;
unsigned long {{field.name}}_b64_len = BASE64_BUFFER_SIZE(data->{{field.len_field}});
uint8_t {{field.name}}_b64[{{field.name}}_b64_len];
Base64Encode(data->{{field.name}}, data->{{field.len_field}},
{{field.name}}_b64, &{{field.name}}_b64_len);
Expand Down Expand Up @@ -524,6 +524,9 @@ def gen_object_decoders(context):
}
{% elif field.type == "chararray" %}
{% if field.len_from_prefix %}
if (prefix - (offset - *len) >= {{field.size}}) {
goto error;
}
object->{{field.len_field}} = prefix - (offset - *len);
{% endif %}
if (object->{{field.len_field}} > 0) {
Expand Down
15 changes: 15 additions & 0 deletions src/app-layer-dnp3-objects.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7153,6 +7153,9 @@ static int DNP3DecodeObjectG70V4(const uint8_t **buf, uint32_t *len,
if (!DNP3ReadUint8(buf, len, &object->status_code)) {
goto error;
}
if (prefix - (offset - *len) >= 255) {
goto error;
}
object->optional_text_len = prefix - (offset - *len);
if (object->optional_text_len > 0) {
if (*len < object->optional_text_len) {
Expand Down Expand Up @@ -7217,6 +7220,9 @@ static int DNP3DecodeObjectG70V5(const uint8_t **buf, uint32_t *len,
if (!DNP3ReadUint32(buf, len, &object->block_number)) {
goto error;
}
if (prefix - (offset - *len) >= 255) {
goto error;
}
object->file_data_len = prefix - (offset - *len);
if (object->file_data_len > 0) {
if (*len < object->file_data_len) {
Expand Down Expand Up @@ -7284,6 +7290,9 @@ static int DNP3DecodeObjectG70V6(const uint8_t **buf, uint32_t *len,
if (!DNP3ReadUint8(buf, len, &object->status_code)) {
goto error;
}
if (prefix - (offset - *len) >= 255) {
goto error;
}
object->optional_text_len = prefix - (offset - *len);
if (object->optional_text_len > 0) {
if (*len < object->optional_text_len) {
Expand Down Expand Up @@ -7413,6 +7422,9 @@ static int DNP3DecodeObjectG70V8(const uint8_t **buf, uint32_t *len,

offset = *len;

if (prefix - (offset - *len) >= 65535) {
goto error;
}
object->file_specification_len = prefix - (offset - *len);
if (object->file_specification_len > 0) {
if (*len < object->file_specification_len) {
Expand Down Expand Up @@ -8158,6 +8170,9 @@ static int DNP3DecodeObjectG120V7(const uint8_t **buf, uint32_t *len,
if (!DNP3ReadUint48(buf, len, &object->time_of_error)) {
goto error;
}
if (prefix - (offset - *len) >= 65535) {
goto error;
}
object->error_text_len = prefix - (offset - *len);
if (object->error_text_len > 0) {
if (*len < object->error_text_len) {
Expand Down
108 changes: 52 additions & 56 deletions src/app-layer.c
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
/* Copyright (C) 2007-2011 Open Information Security Foundation
/* Copyright (C) 2007-2021 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
Expand Down Expand Up @@ -204,68 +204,64 @@ static void TCPProtoDetectCheckBailConditions(ThreadVars *tv,
return;
}

uint32_t size_ts = ssn->client.last_ack - ssn->client.isn - 1;
uint32_t size_tc = ssn->server.last_ack - ssn->server.isn - 1;
SCLogDebug("size_ts %u, size_tc %u", size_ts, size_tc);
const uint32_t size_ts = StreamDataAvailableForProtoDetect(&ssn->client);
const uint32_t size_tc = StreamDataAvailableForProtoDetect(&ssn->server);
SCLogDebug("size_ts %" PRIu32 ", size_tc %" PRIu32, size_ts, size_tc);

#ifdef DEBUG_VALIDATION
if (!(ssn->client.flags & STREAMTCP_STREAM_FLAG_GAP))
BUG_ON(size_ts > 1000000UL);
if (!(ssn->server.flags & STREAMTCP_STREAM_FLAG_GAP))
BUG_ON(size_tc > 1000000UL);
#endif /* DEBUG_VALIDATION */
/* at least 100000 whatever the conditions
* and can be more if window is bigger and if configuration allows it */
const uint32_t size_tc_limit =
MAX(100000, MIN(ssn->client.window, stream_config.reassembly_depth));
const uint32_t size_ts_limit =
MAX(100000, MIN(ssn->server.window, stream_config.reassembly_depth));

if (ProtoDetectDone(f, ssn, STREAM_TOSERVER) &&
ProtoDetectDone(f, ssn, STREAM_TOCLIENT))
{
goto failure;

} else if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
size_ts > 100000 && size_tc == 0)
{
AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
APPLAYER_PROTO_DETECTION_SKIPPED);
goto failure;

} else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
size_tc > 100000 && size_ts == 0)
{
AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
APPLAYER_PROTO_DETECTION_SKIPPED);
goto failure;

/* little data in ts direction, pp done, pm not done (max
* depth not reached), ts direction done, lots of data in
* tc direction. */
} else if (size_tc > 100000 &&
FLOW_IS_PP_DONE(f, STREAM_TOSERVER) && !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) &&
FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT))
{
AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
APPLAYER_PROTO_DETECTION_SKIPPED);
goto failure;

/* little data in tc direction, pp done, pm not done (max
* depth not reached), tc direction done, lots of data in
* ts direction. */
} else if (size_ts > 100000 &&
FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) && !(FLOW_IS_PM_DONE(f, STREAM_TOCLIENT)) &&
FLOW_IS_PM_DONE(f, STREAM_TOSERVER) && FLOW_IS_PP_DONE(f, STREAM_TOSERVER))
{
AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
APPLAYER_PROTO_DETECTION_SKIPPED);
goto failure;

/* in case of really low TS data (e.g. 4 bytes) we can have
* the PP complete, PM not complete (depth not reached) and
* the TC side also not recognized (proto unknown) */
} else if (size_tc > 100000 &&
FLOW_IS_PP_DONE(f, STREAM_TOSERVER) && !(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) &&
(!FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) && !FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)))
{
AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
APPLAYER_PROTO_DETECTION_SKIPPED);
goto failure;
/* we bail out whatever the pp and pm states if
* we received too much data */
} else if (size_tc > 2 * size_tc_limit || size_ts > 2 * size_ts_limit) {
AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
APPLAYER_PROTO_DETECTION_SKIPPED);
goto failure;

} else if (FLOW_IS_PM_DONE(f, STREAM_TOSERVER) &&
FLOW_IS_PP_DONE(f, STREAM_TOSERVER) && size_ts > size_ts_limit &&
size_tc == 0) {
AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
APPLAYER_PROTO_DETECTION_SKIPPED);
goto failure;

} else if (FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) &&
FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) && size_tc > size_tc_limit &&
size_ts == 0) {
AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
APPLAYER_PROTO_DETECTION_SKIPPED);
goto failure;

/* little data in ts direction, pp done, pm not done (max
* depth not reached), ts direction done, lots of data in
* tc direction. */
} else if (size_tc > size_tc_limit && FLOW_IS_PP_DONE(f, STREAM_TOSERVER) &&
!(FLOW_IS_PM_DONE(f, STREAM_TOSERVER)) &&
FLOW_IS_PM_DONE(f, STREAM_TOCLIENT) &&
FLOW_IS_PP_DONE(f, STREAM_TOCLIENT)) {
AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
APPLAYER_PROTO_DETECTION_SKIPPED);
goto failure;

/* little data in tc direction, pp done, pm not done (max
* depth not reached), tc direction done, lots of data in
* ts direction. */
} else if (size_ts > size_ts_limit && FLOW_IS_PP_DONE(f, STREAM_TOCLIENT) &&
!(FLOW_IS_PM_DONE(f, STREAM_TOCLIENT)) &&
FLOW_IS_PM_DONE(f, STREAM_TOSERVER) &&
FLOW_IS_PP_DONE(f, STREAM_TOSERVER)) {
AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
APPLAYER_PROTO_DETECTION_SKIPPED);
goto failure;
}
return;

Expand Down
3 changes: 3 additions & 0 deletions src/counters.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -837,6 +837,9 @@ TmEcode StatsOutputCounterSocket(json_t *cmd,

static void StatsLogSummary(void)
{
if (!stats_enabled) {
return;
}
uint64_t alerts = 0;
SCMutexLock(&stats_table_mutex);
if (stats_table.start_time != 0) {
Expand Down
13 changes: 13 additions & 0 deletions src/stream-tcp-reassemble.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -580,6 +580,19 @@ static uint32_t StreamTcpReassembleCheckDepth(TcpSession *ssn, TcpStream *stream
SCReturnUInt(0);
}

uint32_t StreamDataAvailableForProtoDetect(TcpStream *stream) {
if (RB_EMPTY(&stream->sb.sbb_tree)) {
if (stream->sb.stream_offset != 0)
return 0;

return stream->sb.buf_offset;
} else {
DEBUG_VALIDATE_BUG_ON(stream->sb.head == NULL);
DEBUG_VALIDATE_BUG_ON(stream->sb.sbb_size == 0);
return stream->sb.sbb_size;
}
}

/**
* \brief Insert a packets TCP data into the stream reassembly engine.
*
Expand Down
2 changes: 2 additions & 0 deletions src/stream-tcp-reassemble.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,5 +140,7 @@ static inline bool STREAM_LASTACK_GT_BASESEQ(const TcpStream *stream)
return false;
}

uint32_t StreamDataAvailableForProtoDetect(TcpStream *stream);

#endif /* __STREAM_TCP_REASSEMBLE_H__ */

4 changes: 2 additions & 2 deletions src/stream-tcp.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,8 +80,8 @@
//#define DEBUG

#define STREAMTCP_DEFAULT_PREALLOC 2048
#define STREAMTCP_DEFAULT_MEMCAP (32 * 1024 * 1024) /* 32mb */
#define STREAMTCP_DEFAULT_REASSEMBLY_MEMCAP (64 * 1024 * 1024) /* 64mb */
#define STREAMTCP_DEFAULT_MEMCAP (64 * 1024 * 1024) /* 64mb */
#define STREAMTCP_DEFAULT_REASSEMBLY_MEMCAP (256 * 1024 * 1024) /* 256mb */
#define STREAMTCP_DEFAULT_TOSERVER_CHUNK_SIZE 2560
#define STREAMTCP_DEFAULT_TOCLIENT_CHUNK_SIZE 2560
#define STREAMTCP_DEFAULT_MAX_SYNACK_QUEUED 5
Expand Down
Loading