mirrors/meta-security
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-security synced 2026-01-11 15:00:34 +00:00
Code Issues Projects Releases Wiki Activity
Files
029cf84f6b8c271ffed7b6aae8000d9a3e947d61
meta-security/recipes-ids/suricata/files/CVE-2025-29916-01.patch
Hitendra Prajapati eeb63dc67d suricata: fix multiple CVEs 
Backport fixes for:

* CVE-2025-29916 - Upstream-Status: Backport from 2f432c99a9 && e28c8c655a && d86c5f9f0c
* CVE-2025-29917 - Upstream-Status: Backport from bab716776b
* CVE-2025-29918 - Upstream-Status: Backport from f6c9490e1f

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
2025-11-24 19:04:14 +02:00

125 lines
5.3 KiB
Diff
Raw Blame History

From 2f432c99a9734ea3a75c9218f35060e11a7a39ad Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Tue, 18 Mar 2025 10:55:39 +0100
Subject: [PATCH] datasets: improve default hashsize handling
Make hashsize default local to dataset code, instead of relying on the
thash code.
Use the same default value as before.
(cherry picked from commit d32a39ca4b53d7f659f4f0a2a5c162ef97dc4797)
Upstream-Status: Backport [https://github.com/OISF/suricata/commit/2f432c99a9734ea3a75c9218f35060e11a7a39ad]
CVE: CVE-2025-29916
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
src/datasets.c | 37 +++++++++++++++++++++++--------------
1 file changed, 23 insertions(+), 14 deletions(-)
diff --git a/src/datasets.c b/src/datasets.c
index 32bcf6e..89e7899 100644
--- a/src/datasets.c
+++ b/src/datasets.c
@@ -677,6 +677,11 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save,
}
}
+ GetDefaultMemcap(&default_memcap, &default_hashsize);
+ if (hashsize == 0) {
+ hashsize = default_hashsize;
+ }
+
set = DatasetAlloc(name);
if (set == NULL) {
goto out_err;
@@ -696,12 +701,11 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save,
char cnf_name[128];
snprintf(cnf_name, sizeof(cnf_name), "datasets.%s.hash", name);
- GetDefaultMemcap(&default_memcap, &default_hashsize);
switch (type) {
case DATASET_TYPE_MD5:
set->hash = THashInit(cnf_name, sizeof(Md5Type), Md5StrSet, Md5StrFree, Md5StrHash,
Md5StrCompare, load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap,
- hashsize > 0 ? hashsize : default_hashsize);
+ hashsize);
if (set->hash == NULL)
goto out_err;
if (DatasetLoadMd5(set) < 0)
@@ -710,7 +714,7 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save,
case DATASET_TYPE_STRING:
set->hash = THashInit(cnf_name, sizeof(StringType), StringSet, StringFree, StringHash,
StringCompare, load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap,
- hashsize > 0 ? hashsize : default_hashsize);
+ hashsize);
if (set->hash == NULL)
goto out_err;
if (DatasetLoadString(set) < 0)
@@ -719,26 +723,25 @@ Dataset *DatasetGet(const char *name, enum DatasetTypes type, const char *save,
case DATASET_TYPE_SHA256:
set->hash = THashInit(cnf_name, sizeof(Sha256Type), Sha256StrSet, Sha256StrFree,
Sha256StrHash, Sha256StrCompare, load != NULL ? 1 : 0,
- memcap > 0 ? memcap : default_memcap,
- hashsize > 0 ? hashsize : default_hashsize);
+ memcap > 0 ? memcap : default_memcap, hashsize);
if (set->hash == NULL)
goto out_err;
if (DatasetLoadSha256(set) < 0)
goto out_err;
break;
case DATASET_TYPE_IPV4:
- set->hash = THashInit(cnf_name, sizeof(IPv4Type), IPv4Set, IPv4Free, IPv4Hash,
- IPv4Compare, load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap,
- hashsize > 0 ? hashsize : default_hashsize);
+ set->hash =
+ THashInit(cnf_name, sizeof(IPv4Type), IPv4Set, IPv4Free, IPv4Hash, IPv4Compare,
+ load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap, hashsize);
if (set->hash == NULL)
goto out_err;
if (DatasetLoadIPv4(set) < 0)
goto out_err;
break;
case DATASET_TYPE_IPV6:
- set->hash = THashInit(cnf_name, sizeof(IPv6Type), IPv6Set, IPv6Free, IPv6Hash,
- IPv6Compare, load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap,
- hashsize > 0 ? hashsize : default_hashsize);
+ set->hash =
+ THashInit(cnf_name, sizeof(IPv6Type), IPv6Set, IPv6Free, IPv6Hash, IPv6Compare,
+ load != NULL ? 1 : 0, memcap > 0 ? memcap : default_memcap, hashsize);
if (set->hash == NULL)
goto out_err;
if (DatasetLoadIPv6(set) < 0)
@@ -825,6 +828,10 @@ void DatasetPostReloadCleanup(void)
SCMutexUnlock(&sets_lock);
}
+/* Value reflects THASH_DEFAULT_HASHSIZE which is what the default was earlier,
+ * despite 2048 commented out in the default yaml. */
+#define DATASETS_HASHSIZE_DEFAULT 4096
+
static void GetDefaultMemcap(uint64_t *memcap, uint32_t *hashsize)
{
const char *str = NULL;
@@ -836,12 +843,14 @@ static void GetDefaultMemcap(uint64_t *memcap, uint32_t *hashsize)
*memcap = 0;
}
}
+
+ *hashsize = (uint32_t)DATASETS_HASHSIZE_DEFAULT;
if (ConfGet("datasets.defaults.hashsize", &str) == 1) {
if (ParseSizeStringU32(str, hashsize) < 0) {
+ *hashsize = (uint32_t)DATASETS_HASHSIZE_DEFAULT;
SCLogWarning("hashsize value cannot be deduced: %s,"
- " resetting to default",
- str);
- *hashsize = 0;
+ " resetting to default: %u",
+ str, *hashsize);
}
}
}
--
2.49.0
Reference in New Issue View Git Blame Copy Permalink