meta-security/recipes-ids/suricata/files/CVE-2024-55605.patch

From f80ebd5a30b02db5915f749f0c067c7adefbbe76 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 7 Nov 2024 17:49:45 +0100
Subject: [PATCH] detect/transforms: write directly in inspect buffer

instead of writing to a temporary buffer and then copying,
to save the cost of copying.

Ticket: 7229

Upstream-Status: Backport [https://github.com/OISF/suricata/commit/f80ebd5a30b02db5915f749f0c067c7adefbbe76 && https://github.com/OISF/suricata/commit/c3a6abf60134c2993ee3802ee52206e9fdbf55ba]
CVE: CVE-2024-55605
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 src/detect-engine.c                        | 23 ++++++++++++++++++++--
 src/detect-engine.h                        |  3 ++-
 src/detect-transform-compress-whitespace.c |  8 ++++++--
 src/detect-transform-dotprefix.c           | 10 +++++++---
 src/detect-transform-strip-whitespace.c    |  8 ++++++--
 src/detect-transform-urldecode.c           |  8 ++++++--
 src/detect-transform-xor.c                 |  7 +++++--
 7 files changed, 53 insertions(+), 14 deletions(-)

diff --git a/src/detect-engine.c b/src/detect-engine.c
index 141b48a..cdb24d8 100644
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@@ -1647,11 +1647,13 @@ void InspectionBufferFree(InspectionBuffer *buffer)
 /**
  * \brief make sure that the buffer has at least 'min_size' bytes
  * Expand the buffer if necessary
+ *
+ * \retval pointer to inner buffer to use, or NULL if realloc failed
  */
-void InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size)
+uint8_t *InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size)
 {
     if (likely(buffer->size >= min_size))
-        return;
+        return buffer->buf;
 
     uint32_t new_size = (buffer->size == 0) ? 4096 : buffer->size;
     while (new_size < min_size) {
@@ -1662,7 +1664,24 @@ void InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size)
     if (ptr != NULL) {
         buffer->buf = ptr;
         buffer->size = new_size;
+    } else {
+        return NULL;
     }
+    return buffer->buf;
+}
+
+/**
+ * \brief set inspect length of inspect buffer
+ * The inspect buffer may have been overallocated (by strip_whitespace for example)
+ * so, this sets the final length
+ */
+void InspectionBufferTruncate(InspectionBuffer *buffer, uint32_t buf_len)
+{
+    DEBUG_VALIDATE_BUG_ON(buffer->buf == NULL);
+    DEBUG_VALIDATE_BUG_ON(buf_len > buffer->size);
+    buffer->inspect = buffer->buf;
+    buffer->inspect_len = buf_len;
+    buffer->initialized = true;
 }
 
 void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len)
diff --git a/src/detect-engine.h b/src/detect-engine.h
index 7617e66..04713a7 100644
--- a/src/detect-engine.h
+++ b/src/detect-engine.h
@@ -31,7 +31,8 @@ void InspectionBufferInit(InspectionBuffer *buffer, uint32_t initial_size);
 void InspectionBufferSetup(DetectEngineThreadCtx *det_ctx, const int list_id,
         InspectionBuffer *buffer, const uint8_t *data, const uint32_t data_len);
 void InspectionBufferFree(InspectionBuffer *buffer);
-void InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size);
+uint8_t *InspectionBufferCheckAndExpand(InspectionBuffer *buffer, uint32_t min_size);
+void InspectionBufferTruncate(InspectionBuffer *buffer, uint32_t buf_len);
 void InspectionBufferCopy(InspectionBuffer *buffer, uint8_t *buf, uint32_t buf_len);
 void InspectionBufferApplyTransforms(InspectionBuffer *buffer,
         const DetectEngineTransforms *transforms);
diff --git a/src/detect-transform-compress-whitespace.c b/src/detect-transform-compress-whitespace.c
index 5cbf0fd..cc78c7e 100644
--- a/src/detect-transform-compress-whitespace.c
+++ b/src/detect-transform-compress-whitespace.c
@@ -111,7 +111,11 @@ static void TransformCompressWhitespace(InspectionBuffer *buffer, void *options)
         return;
     }
 
-    uint8_t output[input_len]; // we can only shrink
+    // we can only shrink
+    uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len);
+    if (output == NULL) {
+        return;
+    }
     uint8_t *oi = output, *os = output;
 
     //PrintRawDataFp(stdout, input, input_len);
@@ -132,7 +136,7 @@ static void TransformCompressWhitespace(InspectionBuffer *buffer, void *options)
     uint32_t output_size = oi - os;
     //PrintRawDataFp(stdout, output, output_size);
 
-    InspectionBufferCopy(buffer, os, output_size);
+    InspectionBufferTruncate(buffer, output_size);
 }
 
 #ifdef UNITTESTS
diff --git a/src/detect-transform-dotprefix.c b/src/detect-transform-dotprefix.c
index 52a2633..d58e1d4 100644
--- a/src/detect-transform-dotprefix.c
+++ b/src/detect-transform-dotprefix.c
@@ -110,11 +110,15 @@ static void TransformDotPrefix(InspectionBuffer *buffer, void *options)
     const size_t input_len = buffer->inspect_len;
 
     if (input_len) {
-        uint8_t output[input_len + 1]; // For the leading '.'
+        // For the leading '.'
+        uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len + 1);
+        if (output == NULL) {
+            return;
+        }
 
+        memmove(&output[1], buffer->inspect, input_len);
         output[0] = '.';
-        memcpy(&output[1], buffer->inspect, input_len);
-        InspectionBufferCopy(buffer, output, input_len + 1);
+        InspectionBufferTruncate(buffer, input_len + 1);
     }
 }
 
diff --git a/src/detect-transform-strip-whitespace.c b/src/detect-transform-strip-whitespace.c
index 32fb96f..6040592 100644
--- a/src/detect-transform-strip-whitespace.c
+++ b/src/detect-transform-strip-whitespace.c
@@ -106,7 +106,11 @@ static void TransformStripWhitespace(InspectionBuffer *buffer, void *options)
     if (input_len == 0) {
         return;
     }
-    uint8_t output[input_len]; // we can only shrink
+    // we can only shrink
+    uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len);
+    if (output == NULL) {
+        return;
+    }
     uint8_t *oi = output, *os = output;
 
     //PrintRawDataFp(stdout, input, input_len);
@@ -119,7 +123,7 @@ static void TransformStripWhitespace(InspectionBuffer *buffer, void *options)
     uint32_t output_size = oi - os;
     //PrintRawDataFp(stdout, output, output_size);
 
-    InspectionBufferCopy(buffer, os, output_size);
+    InspectionBufferTruncate(buffer, output_size);
 }
 
 #ifdef UNITTESTS
diff --git a/src/detect-transform-urldecode.c b/src/detect-transform-urldecode.c
index 13ef033..a4e9655 100644
--- a/src/detect-transform-urldecode.c
+++ b/src/detect-transform-urldecode.c
@@ -125,12 +125,16 @@ static void TransformUrlDecode(InspectionBuffer *buffer, void *options)
     if (input_len == 0) {
         return;
     }
-    uint8_t output[input_len]; // we can only shrink
+    // we can only shrink
+    uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len);
+    if (output == NULL) {
+        return;
+    }
 
     changed = BufferUrlDecode(input, input_len, output, &output_size);
 
     if (changed) {
-        InspectionBufferCopy(buffer, output, output_size);
+        InspectionBufferTruncate(buffer, output_size);
     }
 }
 
diff --git a/src/detect-transform-xor.c b/src/detect-transform-xor.c
index e42700f..18f96df 100644
--- a/src/detect-transform-xor.c
+++ b/src/detect-transform-xor.c
@@ -133,12 +133,15 @@ static void DetectTransformXor(InspectionBuffer *buffer, void *options)
     if (input_len == 0) {
         return;
     }
-    uint8_t output[input_len];
+    uint8_t *output = InspectionBufferCheckAndExpand(buffer, input_len);
+    if (output == NULL) {
+        return;
+    }
 
     for (uint32_t i = 0; i < input_len; i++) {
         output[i] = input[i] ^ pxd->key[i % pxd->length];
     }
-    InspectionBufferCopy(buffer, output, input_len);
+    InspectionBufferTruncate(buffer, input_len);
 }
 
 #ifdef UNITTESTS
-- 
2.25.1