mirrors/meta-security
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-security synced 2026-01-11 15:00:34 +00:00
Code Issues Projects Releases Wiki Activity

suricata: Fix CVE-2024-55605

Browse Source 
Upstream-Status: Backport from f80ebd5a30 && c3a6abf601

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
This commit is contained in:
Hitendra Prajapati
2025-04-01 14:17:43 +05:30
committed by Scott Murray
parent de2be008d5
commit 0022895810
2 changed files with 206 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

205
recipes-ids/suricata/files/CVE-2024-55605.patch Normal file
View File

@@ -0,0 +1,205 @@
From f80ebd5a30b02db5915f749f0c067c7adefbbe76 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 7 Nov 2024 17:49:45 +0100
Subject: [PATCH] detect/transforms: write directly in inspect buffer
instead of writing to a temporary buffer and then copying,
to save the cost of copying.
Ticket: 7229
Upstream-Status: Backport [https://github.com/OISF/suricata/commit/f80ebd5a30b02db5915f749f0c067c7adefbbe76 && https://github.com/OISF/suricata/commit/c3a6abf60134c2993ee3802ee52206e9fdbf55ba]
CVE: CVE-2024-55605
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
src/detect-engine.c | 23 ++++++++++++++++++++--
src/detect-engine.h | 3 ++-
src/detect-transform-compress-whitespace.c | 8 ++++++--
src/detect-transform-dotprefix.c | 10 +++++++---
src/detect-transform-strip-whitespace.c | 8 ++++++--
src/detect-transform-urldecode.c | 8 ++++++--
src/detect-transform-xor.c | 7 +++++--
7 files changed, 53 insertions(+), 14 deletions(-)
diff --git a/src/detect-engine.c b/src/detect-engine.c
index 141b48a..cdb24d8 100644
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@@ -1647,11 +1647,13 @@ void InspectionBufferFree(InspectionBuffer *buffer)
/**
* \brief make sure that the buffer has at least 'min_size' bytes
* Expand the buffer if necessary
+ *
+ * \retval pointer to inner buffer to use, or NULL if realloc failed
*/
-void InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size)
+uint8_t *InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size)
{
if (likely(buffer->size >= min_size))
- return;
+ return buffer->buf;
uint32_t new_size = (buffer->size == 0) ? 4096 : buffer->size;
while (new_size < min_size) {
@@ -1662,7 +1664,24 @@ void InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size)
if (ptr != NULL) {
buffer->buf = ptr;
buffer->size = new_size;
+ } else {
+ return NULL;
}
+ return buffer->buf;
+}
+
+/**
+ * \brief set inspect length of inspect buffer
+ * The inspect buffer may have been overallocated (by strip_whitespace for example)
+ * so, this sets the final length
+ */
+void InspectionBufferTruncate(InspectionBuffer *buffer, uint32_t buf_len)
+{
+ DEBUG_VALIDATE_BUG_ON(buffer->buf == NULL);
+ DEBUG_VALIDATE_BUG_ON(buf_len > buffer->size);
+ buffer->inspect = buffer->buf;
+ buffer->inspect_len = buf_len;
+ buffer->initialized = true;
}
void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len)
diff --git a/src/detect-engine.h b/src/detect-engine.h
index 7617e66..04713a7 100644
--- a/src/detect-engine.h
+++ b/src/detect-engine.h
@@ -31,7 +31,8 @@ void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size);
void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id,
InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len);
void InspectionBufferFree(InspectionBuffer *buffer);
-void InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size);
+uint8_t *InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size);
+void InspectionBufferTruncate(InspectionBuffer *buffer, uint32_t buf_len);
void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len);
void InspectionBufferApplyTransforms(InspectionBuffer *buffer,
const DetectEngineTransforms *transforms);
diff --git a/src/detect-transform-compress-whitespace.c b/src/detect-transform-compress-whitespace.c
index 5cbf0fd..cc78c7e 100644
--- a/src/detect-transform-compress-whitespace.c
+++ b/src/detect-transform-compress-whitespace.c
@@ -111,7 +111,11 @@ static void TransformCompressWhitespace(InspectionBuffer *buffer, void *options)
return;
}
- uint8_t output[input_len]; // we can only shrink
+ // we can only shrink
+ uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len);
+ if (output == NULL) {
+ return;
+ }
uint8_t *oi = output, *os = output;
//PrintRawDataFp(stdout, input, input_len);
@@ -132,7 +136,7 @@ static void TransformCompressWhitespace(InspectionBuffer *buffer, void *options)
uint32_t output_size = oi - os;
//PrintRawDataFp(stdout, output, output_size);
- InspectionBufferCopy(buffer, os, output_size);
+ InspectionBufferTruncate(buffer, output_size);
}
#ifdef UNITTESTS
diff --git a/src/detect-transform-dotprefix.c b/src/detect-transform-dotprefix.c
index 52a2633..d58e1d4 100644
--- a/src/detect-transform-dotprefix.c
+++ b/src/detect-transform-dotprefix.c
@@ -110,11 +110,15 @@ static void TransformDotPrefix(InspectionBuffer *buffer, void *options)
const size_t input_len = buffer->inspect_len;
if (input_len) {
- uint8_t output[input_len + 1]; // For the leading '.'
+ // For the leading '.'
+ uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len + 1);
+ if (output == NULL) {
+ return;
+ }
+ memmove(&output[1], buffer->inspect, input_len);
output[0] = '.';
- memcpy(&output[1], buffer->inspect, input_len);
- InspectionBufferCopy(buffer, output, input_len + 1);
+ InspectionBufferTruncate(buffer, input_len + 1);
}
}
diff --git a/src/detect-transform-strip-whitespace.c b/src/detect-transform-strip-whitespace.c
index 32fb96f..6040592 100644
--- a/src/detect-transform-strip-whitespace.c
+++ b/src/detect-transform-strip-whitespace.c
@@ -106,7 +106,11 @@ static void TransformStripWhitespace(InspectionBuffer *buffer, void *options)
if (input_len == 0) {
return;
}
- uint8_t output[input_len]; // we can only shrink
+ // we can only shrink
+ uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len);
+ if (output == NULL) {
+ return;
+ }
uint8_t *oi = output, *os = output;
//PrintRawDataFp(stdout, input, input_len);
@@ -119,7 +123,7 @@ static void TransformStripWhitespace(InspectionBuffer *buffer, void *options)
uint32_t output_size = oi - os;
//PrintRawDataFp(stdout, output, output_size);
- InspectionBufferCopy(buffer, os, output_size);
+ InspectionBufferTruncate(buffer, output_size);
}
#ifdef UNITTESTS
diff --git a/src/detect-transform-urldecode.c b/src/detect-transform-urldecode.c
index 13ef033..a4e9655 100644
--- a/src/detect-transform-urldecode.c
+++ b/src/detect-transform-urldecode.c
@@ -125,12 +125,16 @@ static void TransformUrlDecode(InspectionBuffer *buffer, void *options)
if (input_len == 0) {
return;
}
- uint8_t output[input_len]; // we can only shrink
+ // we can only shrink
+ uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len);
+ if (output == NULL) {
+ return;
+ }
changed = BufferUrlDecode(input, input_len, output, &output_size);
if (changed) {
- InspectionBufferCopy(buffer, output, output_size);
+ InspectionBufferTruncate(buffer, output_size);
}
}
diff --git a/src/detect-transform-xor.c b/src/detect-transform-xor.c
index e42700f..18f96df 100644
--- a/src/detect-transform-xor.c
+++ b/src/detect-transform-xor.c
@@ -133,12 +133,15 @@ static void DetectTransformXor(InspectionBuffer *buffer, void *options)
if (input_len == 0) {
return;
}
- uint8_t output[input_len];
+ uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len);
+ if (output == NULL) {
+ return;
+ }
for (uint32_t i = 0; i < input_len; i++) {
output[i] = input[i] ^ pxd->key[i % pxd->length];
}
- InspectionBufferCopy(buffer, output, input_len);
+ InspectionBufferTruncate(buffer, input_len);
}
#ifdef UNITTESTS
--
2.25.1

1
recipes-ids/suricata/suricata_7.0.0.bb
View File

@@ -18,6 +18,7 @@ SRC_URI += " \
file://fixup.patch \
file://CVE-2024-45795.patch \
file://CVE-2024-45796.patch \
file://CVE-2024-55605.patch \
"
inherit autotools pkgconfig python3native systemd ptest cargo cargo-update-recipe-crates