next/448/70x/20240523/v1 #11135
Merged
next/448/70x/20240523/v1 #11135
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Issue: 6861 Without this commit, disabling rule profiling via suricatasc's command 'ruleset-profile-stop' may crash because profiling_rules_entered becomes negative. This can happen because - There can be multiple rules evaluated for a single packet - Each rule is profiled individually. - Starting profiling is gated by a configuration setting and rule profiling being active - Ending profiling is gated by the same configuration setting and whether the packet was marked as profiling. The crash can occur when a rule is being profiled and rule profiling is then disabled after one at least one rule was profiled for the packet (which marks the packet as being profiled). In this scenario, the value of profiling_rules_entered was not incremented so the BUG_ON in the end profiling macro trips because it is 0. The changes to fix the problem are: - In the profiling end macro, gate the actions taken there by the same configuration setting and use the profiling_rues_entered (instead of the per-packet profiling flag). Since the start and end macros are tightly coupled, this will permit profiling to "finish" if started. - Modify SCProfileRuleStart to only check the sampling values if the packet hasn't been marked for profiling already. This change makes all rules for a packet (once selected) to be profiled (without this change sampling is applied to each *rule* that applies to the packet. (cherry picked from commit bf5cfd6)
In offline mode, a timestamp is kept per thread, and the lowest timestamp of the active threads is used. This was also considering the non-packet threads, which could lead to the used timestamp being further behind that needed. This would happen at the start of the program, as the non-packet threads were set up the same way as the packet threads. This patch both no longer sets up the timestamp for non-packet threads as well as not considering non-packet threads during timestamp retrieval. Fixes: 6f56014 ("time: improve offline time handling") Bug: OISF#7034. (cherry picked from commit 5455799)
The on-disk pcap pkthdr is 16 bytes. This was calculated using `sizeof(struct pcap_pkthdr)`, which is 24 bytes on 64 bit Linux. On Macos, it's even worse, as a comment field grows the struct to 280 bytes. Address this by hardcoding the value of 16. Bug: OISF#7037. (cherry picked from commit 6c937a9)
Bug: https://redmine.openinfosecfoundation.org/issues/6782 Callers to these allocators often use ``sc_errno`` to provide context of the error. And in the case of the above bug, they return ``sc_errno``, but as it has not been set ``sc_errno = 0; == SC_OK``. This patch simply sets this variable to ensure there is context provided upon error. (cherry picked from commit fc2e49f)
As we now support variable size headers, we can't use the old pointer. Replace with a flag. (cherry picked from commit 6067955)
No users of the pointer anymore, so remove it. (cherry picked from commit 7e3f071)
Recognize PPP_CCP, PPP_CBCP and PPP_COMP_DGRAM. Does not implement decoders for these record types, so these are logged as unsupported types. Was "wrong_type" before. (cherry picked from commit 516441b)
** CID 1596376: (CONSTANT_EXPRESSION_RESULT)
/src/decode-ppp.c: 64 in DecodePPPCompressedProto()
/src/decode-ppp.c: 55 in DecodePPPCompressedProto()
________________________________________________________________________________________________________
*** CID 1596376: (CONSTANT_EXPRESSION_RESULT)
/src/decode-ppp.c: 64 in DecodePPPCompressedProto()
58 case 0x57: { /* PPP_IPV6 */
59 if (unlikely(len < (data_offset + IPV6_HEADER_LEN))) {
60 ENGINE_SET_INVALID_EVENT(p, PPPIPV6_PKT_TOO_SMALL);
61 return TM_ECODE_FAILED;
62 }
63 DEBUG_VALIDATE_BUG_ON(len < data_offset);
>>> CID 1596376: (CONSTANT_EXPRESSION_RESULT)
>>> "65535 /* 32767 * 2 + 1 */ < (uint16_t)(len - data_offset)" is always false regardless of the values of its operands. This occurs as the logical first operand of "?:".
64 uint16_t iplen = MIN(USHRT_MAX, (uint16_t)(len - data_offset));
65 return DecodeIPV6(tv, dtv, p, pkt + data_offset, iplen);
66 }
67 case 0x2f: /* PPP_VJ_UCOMP */
68 if (unlikely(len < (data_offset + IPV4_HEADER_LEN))) {
69 ENGINE_SET_INVALID_EVENT(p, PPPVJU_PKT_TOO_SMALL);
/src/decode-ppp.c: 55 in DecodePPPCompressedProto()
49 case 0x21: { /* PPP_IP */
50 if (unlikely(len < (data_offset + IPV4_HEADER_LEN))) {
51 ENGINE_SET_INVALID_EVENT(p, PPPVJU_PKT_TOO_SMALL);
52 return TM_ECODE_FAILED;
53 }
54 DEBUG_VALIDATE_BUG_ON(len < data_offset);
>>> CID 1596376: (CONSTANT_EXPRESSION_RESULT)
>>> "65535 /* 32767 * 2 + 1 */ < (uint16_t)(len - data_offset)" is always false regardless of the values of its operands. This occurs as the logical first operand of "?:".
55 uint16_t iplen = MIN(USHRT_MAX, (uint16_t)(len - data_offset));
56 return DecodeIPV4(tv, dtv, p, pkt + data_offset, iplen);
57 }
58 case 0x57: { /* PPP_IPV6 */
59 if (unlikely(len < (data_offset + IPV6_HEADER_LEN))) {
60 ENGINE_SET_INVALID_EVENT(p, PPPIPV6_PKT_TOO_SMALL);
(cherry picked from commit dc5b78e)
Ticket: 6846 This led to packet rules logging irrelevant app-layer data (cherry picked from commit 910f6af)
Ticket: 6846 (cherry picked from commit 2b4e102)
When we only have stream matches. Ticket: 6846 This solves the case where another transaction was created by parsing data in the other direction, before running the detection. Like 1. get data in direction 1 2. acked data: parse it, but do not run detection in dir 1 3. other data in direction 2 4. other data acked : parse it and create new tx, then run detection for direction 1 with data from first packet (cherry picked from commit 7274ad5)
jufajardini
approved these changes
May 23, 2024
catenacyber
approved these changes
May 23, 2024
|
WARNING:
Pipeline 20754 |
jasonish
approved these changes
May 23, 2024
|
@ct0br0 this needs the same qa baseline update as here #10844 (comment) |
This was referenced May 24, 2024
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Staging:
SV_BRANCH=OISF/suricata-verify#1852