Actions
Bug #5409
closedPCRE: use match and recursion limit for pcrexform
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport, Needs backport to 6.0
Description
cf https://www.regular-expressions.info/catastrophic.html
As found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44742&q=label%3AProj-suricata&can=2
which basically ends up to
#include <pcre2.h>
#include <stdio.h>
int main(int argc, char **argv) {
int en;
PCRE2_SIZE eo;
pcre2_code *regex = pcre2_compile((PCRE2_SPTR8)"[a-wA-Z]+\\S+.*\\s+HTTP", PCRE2_ZERO_TERMINATED, 0, &en, &eo, NULL);
pcre2_match_data *match = pcre2_match_data_create_from_pattern(regex, NULL);
uint8_t * input= "<horoscope><rssversion=\"2.0\"xmlns:a=\"http://schemas.microsoft.com/msn/targeting/recommend\"xmlns:msn=\"http://www.msn.com\"><channel><title>Horoscope</title><item><title>Aries</title><description>Thisisyourluckyday,Aries,andyoucanexpectallsortsofwonderfulsurprises.Youmayenjoyafinancialsurpriseorsomeonecouldproposeaninterestingandpotentiallylucrative...</description><msn:image><msn:title>Aries</msn:title><msn:link>http://a.sc.msn.com/c/my/horoscope/ari.jpg</msn:link></msn:image><msn:daterange>March20-April18</msn:daterange></item><description>ProvidedbyAstrocenter.com</description></channel></rss><ad></ad></horoscope>";
size_t input_len = 621;
printf("start\n");
pcre2_match(regex, (PCRE2_SPTR8)input, input_len, 0, 0, match, NULL);
printf("end\n");
return 0;
}
which takes 3 seconds to run the match
rule is alert tcp any any -> any any (file.data; strip_whitespace; pcrexform:"[a-wA-Z]+\S+(.*)\s+HTTP"; content:"/z4>0m"; endswith; sid:124;)
Updated by Philippe Antoine over 2 years ago
- Tracker changed from Feature to Bug
- Subject changed from PCRE: detect potential catastrophic backtracking to PCRE: use match and recursion limit for pcrexform
- Assignee changed from OISF Dev to Philippe Antoine
- Target version changed from TBD to 7.0.0-beta1
- Label Needs backport, Needs backport to 6.0 added
- Affected Versions 6.0.5 added
Updated by Philippe Antoine over 2 years ago
- Status changed from New to Resolved
Updated by Philippe Antoine over 2 years ago
- Status changed from Resolved to In Review
Updated by Philippe Antoine over 2 years ago
- Copied to Bug #5414: PCRE: use match and recursion limit for pcrexform (6.0.x backport) added
Updated by Philippe Antoine over 2 years ago
- Status changed from In Review to Resolved
Updated by Victor Julien over 2 years ago
- Status changed from Resolved to Closed
Actions